Block encryption device using auxiliary conversion

ABSTRACT

It is desired to share one circuit by an encryption unit  200  and a decryption unit  500 . A normal data transformation unit (FL)  251  and an inverse data transformation unit (FL −1 )  273  are located at point symmetry on a non-linear data transformation unit  220 , and a normal data transformation unit (FL)  253  and an inverse data transformation unit (FL −1 )  271  are located at point symmetry on the non-linear data transformation unit  220 . Therefore, the encryption unit  200  and the decryption unit  500  can be configured using the same circuits.

This application is the national phase under 35 U.S.C. § 371 of PCTInternational Application No. PCT/JP01/01796 which has an Internationalfiling date of Mar. 8, 2001, which designated the United States ofAmerica.

TECHNICAL FIELD

The present invention relates to a data transformation apparatus, datatransformation methods, and storage media in which data transformationmethods are recorded, for encryption, decryption, and data diffusion inorder to protect digital information on information communications.

BACKGROUND ART

FIG. 25 represents an encryption function which is used in DES describedin “Gendai Ango Riron (Modern Cipher Theory)” (The Institute ofElectronics, Information and Communication Engineers, published on Nov.15, 1997, page 46).

As shown in FIG. 25, eight S-boxes are used. These eight S-boxes aremutually different tables. Each table outputs 4-bit data from 6-bitinput data.

FIG. 26 shows non-linear transformation function which is described in“Specification of E2—a 128-bit Block Cipher” (Nippon Telegraph andTelephone Corporation, published on Jun. 14, 1998, page 10).

As shown in FIG. 26, each S-function unit consists of eight S-boxes.

Conventional encryption devices use multiple S-boxes. Since some ciphersare equipped with mutually different tables, memory usage is increasedas compared to ones equipped with one S-box. Since, on the other hand,other ciphers use only one S-box, the security of the cipher isdecreased.

As shown in FIG. 7, when a normal data transformation unit (FL) 250 isinserted in the encryption unit, it is required to provide an inversedata transformation unit (FL⁻¹) 270 in a decryption unit to decrypt theciphertexts. Since, generally, the normal data transformation unit (FL)250 and the inverse data transformation unit (FL⁻¹) 270 are mutuallydifferent circuits, causes a problem that the encryption unit and thedecryption unit cannot provide the same configuration

Furthermore, in generating extension keys, complex operations arerequired in order to generate the extension keys having higher security.There is another problem in case of generating the extension keys thatthe number of bits of key data to be input as an initial value should befixed.

The present invention aims to provide systems in which circuits forencryption and decryption are the same, and in which circuit area,program size and memory usage which are used for non-lineartransformation computation can be reduced, and furthermore, theextension keys can be generated using a simpler configuration.

DISCLOSURE OF THE INVENTION

A data transformation apparatus of the present invention ischaracterized by that in the data transformation apparatus having a dataprocessing unit for inputting key data and performing at least one ofencryption of data and decryption of data,

the data processing unit divides data to be transformed into first data(L) and second data (R) and performs a data transformation, and

the data processing unit includes:

a normal data transformation unit (FL) for transforming the first data(L); and

an inverse data transformation unit (FL⁻¹) for transforming the seconddata (R) by performing an inverse transformation of a transformation bythe normal data transformation unit (FL).

The above data processing unit includes a first input port, a secondinput port, a first output port, and a second output port,

the above normal data transformation unit (FL) outputs transformed datato the first input port of the data processing unit, and

the above inverse data transformation unit (FL⁻¹) transforms the dataoutput from the second output port of the data processing unit andoutputs transformed data.

The above data processing unit includes a first input port, a secondinput port, a first output port, and a second output port,

the normal data transformation unit (FL) outputs transformed data to thesecond input port of the data processing unit, and

the inverse data transformation unit (FL⁻¹) transforms the data outputfrom the first output port of the data processing unit and outputstransformed data.

A data transformation apparatus of the present invention ischaracterized by that in the having a data processing unit for inputtingkey data and performing at least one of encryption of data anddecryption of data,

the data processing unit includes a non-linear transformation unit forperforming a non-linear transformation of data,

the non-linear transformation unit includes:

a first transformation unit (s₁) for inputting a part of data to betransformed as first partial data, transforming the first partial datausing a transformation table T, which inputs data, transforms a value ofthe data into another value and outputs the data, and outputtingtransformed data; and

a second transformation unit (s₂) for inputting at least another part ofthe data to be transformed as second partial data, transforming thesecond partial data by a transformation using the transformation table Tand an operation for second part, and outputting transformed data.

The above first transformation unit (s₁) inputs data y₁ to thetransformation table T to output data s₁(y₂) and outputs the data s₁(y₁)as data z₁=s₁(y₁), and

the second transformation unit (s₂) inputs data y₂ to the transformationtable T to output data s₁(y₂), performs rotational shift on s₁(y₂) tooutput (rot (s₁(y₂))), and outputs the data (rot (s₁(y₂))) as dataZ₂=rot (s₁(y₂)).

The above data processing unit further includes a third transformationunit (s₃) and a fourth transformation unit (s₄) for respectivelyinputting partial data which is different from the first partial dataand the second partial data as third partial data and inputting partialdata which is different from the first partial data, the second partialdata, and the third partial data as fourth partial data, transformingthe third partial data and the fourth partial data by the transformationusing the transformation table T and an operation for third part and anoperation for fourth part, both of which are different from theoperation for second part of the second transformation unit (s₂), andoutputting transformed data.

A data transformation apparatus of the present invention ischaracterized by that in the data transformation apparatus having a dataprocessing unit for inputting key data and performing at least one ofencryption of data and decryption of data,

the data processing unit includes:

a subfield transformation unit for inputting data to be transformed,assuming the data as an element of a field, transforming the data by aninverse element circuit using a subfield of the field, and outputtingtransformed data; and

an affine transformation unit for vector space GF(2)^(n) on GF(2),provided at least one of a former round and a latter round of thesubfield transformation unit, for assuming data on GF(2)^(n) to betransformed as an element of GF(2)^(n) which corresponds naturally.

The above subfield transformation unit includes only plural N/2-bitoperation units for equally dividing data X having N (N: even number)bits into upper 2/N-bit data X₁ and lower N/2 bit data X₀ so as to beX=X₀+βX₁ (X₀, X₁: elements of the subfield, β: an element of the field),and obtaining data Y by respectively operating upper N/2-bit data Y₁ andlower N/2-bit data Y₀ so as to be Y=Y₀+βY₁=1/(X₀+βX₁) (where Y=0, whenX=0).

A data transformation apparatus of the present invention ischaracterized by that in the data transformation apparatus having a dataprocessing unit for inputting key data and performing at least one ofencryption of data and decryption of data, and a key generating unit forgenerating key data to be used by the data processing unit and supplyingthe key data to the data processing unit,

the data processing unit includes a non-linear transformation unithaving cascaded plural rounds, each of the plural rounds inputs anextension key and performs a non-linear transformation,

the key generating unit includes a key shifting unit for inputting atleast one of the key data and data generated from the key data anddepending on the key data, performing a rotational shift by apredetermined number of bits Z₁, Z₂, . . . , Z_(m) (where each of i, j,k is one of 1 through m, Z_(k)−Z_(j)=I×(Z_(i+1)−Z_(i))=I×B (I is aninteger, B=Z_(i+1)−Z_(i))), and generating an extension key for the eachof the plural rounds of the non-linear transformation unit from the keydata on which the rotational shift is performed, and

the key shifting unit includes:

a rotational shift register for performing a rotational shift by(Z_(i+1)−Z_(i)) bits (B bits) at one operation; and

a controller for operating the rotational shift register 1 time on thekey data, on which the rotational shift is performed by Z_(i) bits, toperform the rotational shift by (Z_(i+1)−Z_(i)) bits (B bits), makingthe rotational shift register to generate the key data which isperformed the rotational shift by Z_(i+1) bits, and

operating the rotational shift register I time(s) on the key data, onwhich the rotational shift is performed by Z_(i+1) bits, to perform therotational shift by I×(Z_(i+1)−Z_(i)) bits (I×B bits), and making therotational shift register to generate the key data which is performedthe rotational shift by Z_(i+2) bits.

The above rotational shift register is a circuit which performs arotational shift of Z_(i+1)−Z_(i) bits (B bits) by 1 clock cycle of anoperation clock supplied for operating the rotational shift register.

The above rotational shift circuit includes a selector for selecting oneof B₁=8×J₁+1 (J₁=an integer greater than 0) bits and B₂=8×J₂ −1(J₂=aninteger greater than 1, there is no relation between J₁ and J₂, namely,J₁≠J₂ or J₁=J₂) bits as (Z_(i+1)−Z_(i)) bits (B bits).

A data transformation apparatus of the present invention ischaracterized by that in the data transformation apparatus having a dataprocessing unit for inputting key data and performing at least one ofencryption of data and decryption of data, and a key generating unit forgenerating key data to be used by the data processing unit and supplyingthe key data to the data processing unit,

the data processing unit includes a non-linear transformation unit ofcascaded plural rounds, each of the plural rounds inputs an extensionkey and performs a non-linear transformation,

the key generating unit includes a key shifting unit for rotationallyshifting key data by a predetermined number of bits (B bits)successively on generating the extension key to be supplied to the eachof the plural rounds of the non-linear transformation unit, andgenerating an extension key used for the each of the plural rounds ofthe non-linear transformation unit from key data,

the key shifting unit does not generate the extension key by ignoringcertain data among the key data being rotationally shifted by B bitssuccessively, and generates the extension key from other remaining data.

A data transformation apparatus of the present invention ischaracterized by that in the data transformation apparatus having a dataprocessing unit for inputting key data and performing at least one ofencryption of data and decryption of data, and a key generating unit forgenerating key data to be used by the data processing unit and supplyingthe key data to the data processing unit,

the key generating unit includes:

a first G-bit key transformation unit for inputting G-bit key datahaving G bits, transforming the G-bit key data, and outputting firstG-bit transformed key data having G bits; and

a second G-bit transformation unit for inputting the first G-bittransformed key data output from the first G-bit key transformationunit, transforming the G-bit key data, and outputting second G-bittransformed key data, and

the key generating unit, in case that the key generating unit inputsG-bit key data K, inputs the G-bit key data K to the first G-bit keytransformation unit to transform and outputs G-bit transformed key dataK₁ output from the first G-bit key transformation unit as G-bit key datatransformed, and

the key generating unit, in case that the key generating unit inputs2G-bit key data K, generates G-bit key data from the 2G-bit key data K,inputs the G-bit key data generated to the first G-bit keytransformation unit to transform, and outputs first G-bit transformedkey data K₁, inputs the first G-bit transformed key data K₁ to thesecond G-bit transformation unit to transform, and outputs second G-bittransformed key data K₂, concatinates the first G-bit transformed keydata K₁ output from the first G-bit key transformation unit and thesecond G-bit transformed key data K₂ output from the second G-bittransformation unit, and outputs a concatinated result as transformed2G-bit key data (K₁, K₂).

The above first G-bit key transformation unit includes:

a non-linear transformation unit having two rounds for performingnon-linear transformation on the G-bit key data; and

a logical operation unit for performing a logical operation of a halfwaytransformed G-bit key data output from a second round of the nonlineartransformation unit and the G-bit key data input to the first G-bit keytransformation unit.

The above key generating unit further includes a bit lengthtransformation unit for converting Q-bit key data into the 2G-bit keydata in case that the Q-bit (G<Q<2G) key data is input.

A data transformation apparatus of the present invention ischaracterized by that in a data transformation apparatus having:

a data processing unit for inputting key data and performing at leastone of encryption of data and decryption of data; and,

a key generating unit for generating key data to be used by the dataprocessing unit and supplying the key data to the data processing unit,

the data transformation apparatus including a non-linear function unit(F) having:

a key function unit for performing a logical operation of data to betransformed and the key data;

an S function unit for converting data to be transformed into otherdata; and

a P function unit for performing a logical operation among pieces ofdata to be transformed, and

the key function unit is placed between the S function unit and the Pfunction unit in the non-linear function unit (F).

A data transformation apparatus of the present invention ischaracterized by that in a data transformation apparatus having:

a data processing unit for inputting key data and performing at leastone of encryption of data and decryption of data, and a key generatingunit for generating key data to be used by the data processing unit andsupplying the key data to the data processing unit,

the data transformation apparatus including a non-linear function unit(F) including:

a key function unit for performing a logical operation of data to betransformed and the key data;

an S function unit for converting data to be transformed into otherdata; and

a P function unit for performing a logical operation among pieces ofdata to be transformed, and

the key function unit is placed one of before the S function unit andthe P function unit and after the S function unit and the P functionunit in the non-linear function unit (F).

The above S function unit includes:

a first transformation unit (s₁) for inputting a part of data to betransformed as first partial data, transforming the first partial datausing a transformation table T, which inputs data, transforms a value ofthe data into another value, and outputs the data, and outputtingtransformed data; and

a second transformation unit (s₂) for inputting at least another part ofthe data to be transformed as second partial data, transforming thesecond partial data by a transformation using the transformation table Tand an operation for the second part, and outputting transformed data.

A data transformation apparatus of the present invention ischaracterized by that in a data transformation apparatus having a dataprocessing unit for inputting key data and performing at least one ofencryption of data and decryption of data, the data transformationapparatus includes

a non-linear function unit (F) including a P function unit whichperforms a logical operation among pieces of data to be transformed, and

the P function unit inputs eight pieces of 4n-bit data (n is an integergreater than 1) z₁, z₂, . . . , z₈ and includes:

a circuit for performing an XOR operation of at least two of the fourpieces of data z₁, z₂, z₃, z₄ to obtain 4n-bit operation result U₁;

a circuit for performing an XOR operation of at least two of the fourpieces of data z₅, z₆, z₇, z₈ to obtain 4n-bit operation result U₂;

a circuit for performing an XOR operation of U₁ and U₂ to obtain 4n-bitoperation result U₃;

a rotational circuit for performing a rotational shift on U₁; and

a circuit for performing an XOR operation of output from the rotationalcircuit and U₃ to obtain 4n-bit operation result U₄, and

the data transformation apparatus divides U₃ and U₄ into four pieces ofdata, respectively, and outputs eight pieces of n-bit data z′₁, z′₂, . .. , z′₈.

A data transformation method of the present invention is characterizedby that in a data transformation method for executing a data processingprocess for inputting key data and performing at least one of encryptionof data and decryption of data,

the data processing process divides data to be transformed into firstdata (L) and second data (R) and performs data transformation, and

the data processing process includes:

a normal data transformation process (FL) for transforming the firstdata (L); and

an inverse data transformation process (FL⁻¹) for transforming thesecond data (R) by performing an inverse transformation of atransformation of the normal data transformation process (FL).

A data transformation method of the present invention is characterizedby that in a data transformation method for executing a data processingprocess for inputting key data and performing at least one of encryptionof data and decryption of data,

the data processing process includes a non-linear transformation processfor performing a non-linear transformation of data,

the non-linear transformation process includes:

a first transformation process (s₁) for inputting a part of data to betransformed as first partial data, transforming the first partial datausing a transformation table T, which inputs data, transforms a value ofthe data into another value and outputs the data, and outputtingtransformed data; and

a second transformation process (s₂) for inputting at least another partof data to be transformed as second partial data, transforming thesecond partial data by transformation using the transformation table Tand an operation for second part, and outputting transformed data.

A data transformation method of the present invention is characterizedby that in a data transformation method for executing a data processingprocess for inputting key data and performing at least one of encryptionof data and decryption of data, the data processing process includes:

a subfield transformation process for inputting data to be transformed,assuming the data as an element of a field, transforming the data by aninverse element circuit using a subfield of the field, and outputtingtransformed data; and

an affine transformation process for vector space GF(2)^(n) on GF(2),provided at at least one of a former round and a latter round of thesubfield transformation unit for assuming data on GF(2)^(n) to betransformed as an element of GF(2)^(n) which corresponds naturally.

A data transformation method of the present invention is characterizedby that in a data transformation method for executing a data processingprocess for performing at least one of encryption of data and decryptionof data, and a key generating process for generating key data to be usedby the data processing process and supplying the key data to the dataprocessing process,

the data processing process includes a non-linear transformation processhaving cascaded plural rounds, each of the plural rounds inputs anextension key and performs a non-linear transformation,

the key generating process includes a key shifting process for inputtingat least one of the key data and data which is generated from the keydata and depending on the key data, performing a rotational shift by apredetermined number of bits Z₁, Z₂, . . . , Z_(m) (where each of i, j,k is one of 1 through m, Z_(k)−Z_(j)=I×(Z_(i+1)−Z_(i))=I×B (I is aninteger, B=Z_(i+1)−Z_(i))), and generating an extension key for the eachof the plural round of the non-linear transformation process from thekey data on which the rotational shift is performed, and

the key shifting process includes:

a rotational shifting process; and

a control process for operating the rotational shifting process 1 timeon the key data, on which the rotational shift is performed by Z_(i)bits, to perform the rotational shift by (Z_(i+1)−Z_(i)) bits (B bits),making the rotational shifting process to generate the key data which isperformed the rotational shift by Z_(i+1) bits, and operating therotational shifting process I times on the key data, on which therotational shift is performed by Z_(i+1) bits, to perform the rotationalshift by I×(Z_(i+1)−Z_(i)) bits (I×B bits), and making the rotationalshifting process to generate the key data which is performed therotational shift by z_(i+2) bits.

A data transformation method of the present invention is characterizedby that in a data transformation method for executing a data processingprocess for inputting key data and performing at least one of encryptionof data and decryption of data, and a key generating process forgenerating key data to be used by the data processing process andsupplying the key data to the data processing process,

the data processing process includes a non-linear transformation havingcascaded plural rounds, each of the plural rounds inputs an extensionkey and performs a non-linear transformation,

the key generating process includes a key shifting process forrotationally shifting key data by a predetermined number of bits (Bbits) successively on generating the extension key to be supplied to theeach of the plural rounds of the non-linear transformation process, andgenerating an extension key used for the each of the plural rounds ofthe non-linear transformation process from key data being rotationallyshifted,

the key shifting process does not generate the extension key by ignoringcertain data among the key data being rotationally shifted by B bitssuccessively, and generates the extension key from other remaining data.

A data transformation method of the present invention is characterizedby that in a data transformation method for executing a data processingprocess for inputting key data and performing at least one of encryptionof data and decryption of data, and a key generating process forgenerating key data to be used by the data processing process andsupplying the key data to the data processing process,

the key generating process includes:

a first G-bit key transformation process for inputting G-bit key datahaving G bits, transforming the G-bit key data, and outputting firstG-bit transformed key data having G bits; and

a second G-bit transformation process for inputting the first G-bittransformed key data output from the first G-bit key transformationprocess, transforming the G-bit key data, and outputting second G-bittransformed key data, and

the key generating process, when the key generating process inputs G-bitkey data K, inputs the G-bit key data K to the first G-bit keytransformation process, transforms the G-bit key data K, and outputsG-bit transformed key data K₁ output from the first G-bit keytransformation process as G-bit key data transformed, and

the key generating process, when the key generating process inputs2G-bit key data K, generates G-bit key data from the 2G-bit key data K,inputs the G-bit key data generated to the first G-bit keytransformation process to transform and outputs the first G-bittransformed key data K₁, inputs the first G-bit transformed key data K₁to the second G-bit transformation process to transform and outputssecond G-bit transformed key data K₂, concatenates the first G-bittransformed key data K₁ output from the first G-bit key transformationunit and the second G-bit transformed key data K₂ output from the secondG-bit transformation unit, and outputs a concatenated result astransformed 2G-bit key data (K₁, K₂).

A data transformation method of the present invention is characterizedby that in a data transformation method for executing a data processingprocess for inputting key data and performing at least one of encryptionof data and decryption of data, and a key generating process forgenerating key data to be used by the data processing process andsupplying the key data to the data processing process, the datatransformation method including a non-linear function process (F)including:

a key function process for performing a logical operation of data to betransformed and the key data;

an S function process for converting data to be transformed into otherdata; and

a P function process for performing a logical operation among pieces ofdata to be transformed, and

the key function process is placed between the S function process andthe P function process in the non-linear function process (F).

A data transformation method of the present invention is characterizedby that in a data transformation method for executing a data processingprocess for inputting key data and performing at least one of encryptionof data and decryption of data, and a key generating process forgenerating key data to be used by the data processing process andsupplying the key data to the data processing process, the datatransformation method including a non-linear function process (F)having:

a key function process for performing a logical operation of data to betransformed and the key data;

an S function process for converting data to be transformed into otherdata; and

a P function process for performing a logical operation among pieces ofdata to be transformed, and

the key function process is placed one of before the S function processand the P function process and after the S function process and the Pfunction process in the non-linear function process (F).

A data transformation apparatus of the present invention ischaracterized by that in a data transformation apparatus having a dataprocessing unit for inputting key data and performing at least one ofencryption of data and decryption of data,

the data processing unit includes:

a first input port;

a second input port;

a first output port;

a second output port;

a non-linear transformation unit for performing data encryption and datadecryption using same algorithm;

a first input normal data transformation unit for transforming datainput to the first input port; and

a second output inverse data transformation unit for inputting dataoutput from the second output port and performing an inversetransformation of a transformation by the first input normal datatransformation unit.

The above non-linear transformation unit includes an algorithm thatfirst input data and second output data become identical and secondinput data and first output data become identical in case of:

inputting first input data from the first input port,

inputting second input data from the second input port,

performing non-linear transformations on the first input data and thesecond input data using key data for encryption and generates firsttransformed data and second transformed data,

outputting the first transformed data from the first output port,

outputting the second transformed data from the second output port,

inputting the first transformed data from the second input port,

inputting the second transformed data from the first input port,

performing non-linear transformations on the first transformed data andthe second transformed data using key data for decryption, and generatesfirst output data and second output data,

outputting the first output data from the second output port, and

outputting the second output data from the first output port.

The above data processing unit further includes:

a second input normal data transformation unit for transforming datainput to the second input port;

a first output inverse data transformation unit for inputting dataoutput from the first output port and performing an inversetransformation of a transformation by the second input normal datatransformation unit.

A data transformation apparatus of the present invention ischaracterized by that in a data transformation apparatus having a dataprocessing unit for inputting key data and performing at least one ofencryption of data and decryption of data, and a key generating unit forgenerating key data to be used by the data processing unit and supplyingthe key data to the data processing unit,

the data processing unit includes a non-linear function unit (F) forperforming a non-linear transformation on data to be transformed, and

the key generating unit processes the key data to be supplied to thenon-linear function unit (F), supplies a processed key data to make anoperation with data to a part other than the non-linear function unit(F) in the data processing unit.

A data transformation method of the present invention is characterizedby that in a data transformation method for executing a data processingprocess of inputting key data and performing at least one of encryptionof data and decryption of data, and a key generating process ofgenerating key data which is used by the data processing process andsupplying the key data to the data processing process,

the data processing process includes a non-linear function process (F)for performing a non-linear transformation of data to be transformed,and

the key generating process processes the key data to be supplied to thenon-linear function process (F), supplies a processed key data to makecalculate data to a part other than the non-linear function process (F)in the data processing process.

A present invention is characterized by a computer-readable storagemedium for storing a program for having a computer perform the abovedata transformation method.

A present invention is characterized by a program for having a computerperform the above data transformation method.

BRIEF EXPLANATION OF THE DRAWINGS

FIG. 1 shows a data transformation unit for encryption 100 and a datatransformation unit for decryption 400.

FIG. 2 shows notations.

FIG. 3 shows a configuration of an encryption unit 200 or a decryptionunit 500.

FIG. 4 shows another configuration of the encryption unit 200 or thedecryption unit 500.

FIG. 5 shows a configuration of a normal data transformation unit (FL)251.

FIG. 6 shows a configuration of an inverse data transformation unit(FL⁻¹) 271.

FIG. 7 shows a part of a conventional encryption unit and a conventionaldecryption unit.

FIG. 8 shows a part of the encryption unit 200 and the decryption unit500.

FIG. 9 shows the normal data transformation unit (FL) 251 and theinverse data transformation unit (FL⁻¹) 271 which are placed at pointsymmetry.

FIG. 10 shows relation between the normal data transformation unit (FL)251 and the inverse data transformation unit (FL⁻¹) 271 which are placedat point symmetry.

FIG. 11 shows a non-linear function unit F.

FIG. 12 shows a configuration of an S-box first transformation unit 13and an S-box second transformation unit 14.

FIG. 13 shows a configuration of an S-box transformation unit 21.

FIG. 14 shows a configuration of a linear transformation unit 85.

FIG. 15 shows a configuration of a linear transformation unit 87.

FIG. 16 shows a configuration of a key generating unit 300 or a keygenerating unit 600.

FIG. 17 explains operations of a bit length transformation unit 310.

FIG. 18 shows a configuration of a shift register A 341.

FIG. 19 shows a configuration of a control table of a shift control unit345.

FIG. 20 shows operations of the shift register A 341 and a shiftregister B 342.

FIG. 21 shows correspondence between the shift register A 341, the shiftregister B 342 and extension keys.

FIG. 22 shows operations of the shift registers A 341 through D 344.

FIG. 23 shows correspondence between the shift registers A 341 through D344 and extension keys.

FIG. 24 shows a computer which is equipped with the data transformationunit for encryption 100 and the data transformation unit for decryption400.

FIG. 25 shows a configuration of the encryption function of DES.

FIG. 26 shows a configuration of the non-linear function of 128-bitblock cipher E2.

FIG. 27 shows another example of S-box transformation units.

FIG. 28 shows a non-linear function unit F which is equipped with thefirst through fourth S-box transformation units.

FIG. 29 shows another non-linear function unit F in which a location ofthe key function unit 25 is moved.

FIG. 30 shows another non-linear function unit F in which a location ofthe key function unit 25 is moved.

FIG. 31 shows another configuration of a P function unit 30.

FIG. 32 shows another configuration of the P function unit 30.

FIG. 33 shows configurations and operations of S1 through S4 of FIG. 31.

FIG. 34 shows a proof of non-existence of an equivalent keys.

FIG. 35 shows a proof of non-existence of an equivalent keys.

FIG. 36 shows another configuration of the encryption unit 200 or thedecryption unit 500.

FIG. 37 shows another configuration of the encryption unit 200 or thedecryption unit 500.

FIG. 38 shows another configuration of the encryption unit 200 or thedecryption unit 500.

FIG. 39 shows another configuration of the encryption unit 200 or thedecryption unit 500.

FIG. 40 shows another configuration of the encryption unit 200 or thedecryption unit 500.

FIG. 41 shows another configuration of the encryption unit 200 or thedecryption unit 500.

FIG. 42 shows a configuration in which the units of FIG. 39 and FIG. 40are combined.

FIG. 43 shows a configuration of the encryption unit 200 or thedecryption unit 500, which is shown in FIG. 3, using the non-linearfunction unit F shown in FIG. 28.

FIG. 44 shows a modified configuration of FIG. 43 by using a nonlinearfunction unit F′ in which the the key function unit 25 of the non-linearfunction unit F is removed.

FIG. 45 shows a modified configuration of FIG. 44 by merging thewhitening extension keys with the extension keys.

FIG. 46 shows a modified configuration in which the key function unit 25is removed from the non-linear function unit F and in which an extensionkey k is supplied to an XOR circuit 298, when the non-linear functionunit F is configured as shown in FIG. 29.

FIG. 47 shows a modified configuration in which the key function unit 25is removed from the linear function unit F and in which a linearlytransformed extension key k′ is supplied to the XOR circuit 298, whenthe non-linear function unit F is configured as shown in FIG. 30.

BEST MODE FOR CARRYING OUT THE INVENTION Embodiment 1

FIG. 1 shows a data transformation unit for encryption 100 and a datatransformation unit for decryption 400 in this embodiment.

The data transformation unit for encryption 100 is, for example, anencryption device which outputs 128-bit ciphertexts from 128-bit inputplaintexts. The data transformation unit for decryption 400 is adecryption device which outputs 128-bit plaintexts from 128-bit inputciphertexts. The data transformation unit for encryption 100 consists ofan encryption unit 200 and a key generating unit 300. The encryptionunit 200 is a data processing unit for encrypting plaintexts. The keygenerating unit 300 generates multiple (n) 64-bit or 128-bit extensionkeys using constants V, from 128-bit, 192-bit or 256-bit input key data,and supply them to the encryption unit 200. The data transformation unitfor decryption 400 consists of a decryption unit 500 and a keygenerating unit 600. The decryption unit 500 is a data processing unitfor decrypting ciphertexts. The key generating unit 600 is the same asor similar to the above key generating unit 300. Furthermore, since theencryption unit 200 and the decryption unit 500 can run the sameprocedure, they can share one circuit or one program, though theencryption unit 200 and the decryption unit 500 are illustratedseparately in the figures. Similarly, the key generating units 300 and600 can share one circuit or one program. That is, one circuit or oneprogram can be shared by the data transformation unit for encryption 100and the data transformation unit for decryption 400.

FIG. 2 shows meanings of notations used for the following figures ordescriptions.

In FIG. 3 and the subsequent figures, a left half of data is called“left data L” and a right half of data is called “right data R”.Furthermore, the data which are input to non-linear data transformationunits 210, 220, 230, and 240 are called “input data”, the internal dataof the non-linear data transformation units 210, 220, 230, and 240 arecalled “intermediate data”, and data which are output from thenon-linear data transformation units 210, 220, 230, and 240 are called“output data”.

FIG. 3 shows an example of the encryption unit 200 or the decryptionunit 500.

FIG. 3 shows a configuration in which 6-round non-linear datatransformation unit 210, 6-round non-linear data transformation unit220, and 6-round non-linear data transformation unit 230 are cascade.The normal data transformation unit (FL) 251 and the inverse datatransformation unit (FL⁻¹) 271 are inserted between the 6-roundnon-linear data transformation unit 210 and the 6-round non-linear datatransformation unit 220. Furthermore, the normal data transformationunit (FL) 253 and the inverse data transformation unit (FL⁻¹) 273 areinserted between the 6-round non-linear data transformation unit 220 andthe 6-round non-linear data transformation unit 230. Inside the 6-roundnon-linear data transformation unit 210, 6 rounds of non-linear datatransformation units are provided. For example, a non-linear datatransformation unit 280 consists of a non-linear function unit F and anXOR (exclusive OR) circuit 290. In this way, in case of FIG. 3, 18rounds of non-linear data transformation units are provided in total.

The non-linear data transformation unit 210 is equipped with a firstnon-linear data transformation unit 280 and a second non-linear datatransformation unit 281. For arbitrary two pieces of input data, rightinput data R₀ and left input data L₀, the former performs the firstnon-linear transformation on the left input data L₀ using a firstextension key k₁, outputs an XORed result of the output data of thefirst non-linear transformation and the right input data R₀ as the firstleft intermediate data L₁, and outputs the left input data L₀ as thefirst right intermediate data R₁. The latter performs the secondnon-linear transformation on the first left intermediate data L₁ using asecond extension key k₂, outputs an XORed result of the output data ofthe second non-linear transformation and the first right intermediatedata R₁ as the second left intermediate data L₂, and outputs the firstleft intermediate data L₁ as the second right intermediate data R₂. Thenon-linear data transformation unit 210, in which the first non-lineardata transformation unit 280 through the sixth non-linear datatransformation unit 285 are cascade, outputs the final rightintermediate data R₆ and the left intermediate data L₆ as the outputdata after transformation.

FIG. 4 shows a configuration in which a normal data transformation unit(FL) 255, an inverse data transformation unit (FL⁻¹) 275, and a 6-roundnon-linear data transformation unit 240 are added to the encryption unit200 shown in FIG. 3. In total, data transformation is performed by 24rounds of non-linear data transformation units.

FIG. 5 shows the normal data transformation unit (FL) 251.

FIG. 5 shows that the normal data transformation unit (FL) 251 dividesinput data into two pieces of data, left input data 51 and right inputdata 52, performs logical operations for the both pieces of the data,and generates output data from the left output data 60 and the rightoutput data 61. The left input data 51 is ANDed with an extension key 53at an AND circuit 54, and then, the ANDed data is left rotationalshifted (also called “circular shifted”) by 1 bit at a 1-bit leftrotational shifting unit 55. The shifted data is XORed with the rightinput data 52 at an XOR circuit 56. The output from the XOR circuit 56becomes right output data 61, and is ORed with an extension key 57 at anOR circuit 58. Then, the ORed result is XORed with the left input data51 at an XOR circuit 59 to generate left output data 60.

FIG. 6 shows the inverse data transformation unit (FL⁻¹) 271.

FIG. 6 shows that the inverse data transformation unit (FL⁻¹) 271divides input data into two pieces of data, left input data 71 and rightinput data 72, performs logical operations for the both pieces of thedata, and generates output data from left output data 80 and rightoutput data 81.

The right input data 72 is ORed with an extension key 73 at an ORcircuit 74, and then, the ORed data is XORed with the left input data 71at an XOR circuit 75. Then, the output from the XOR circuit 75 becomesleft output data 80. and is ANDed with an extension key 76 at an ANDcircuit 77. After that, the ANDed result is left rotational shifted by 1bit at a 1-bit left rotational shifting unit 78, and the shifted data isXORed with the right input data 72 at an XOR circuit 79. The output fromthe XOR circuit 79 becomes right output data 81.

The normal data transformation unit (FL) 251 shown in FIG. 5 and theinverse data transformation unit (FL⁻¹) 271 shown in FIG. 6 performopposite operations each other. Accordingly, using the same extensionkey, the input data X of FIG. 5 can be obtained as output data X of FIG.6 by making output data Y of FIG. 5 be input data Y of FIG. 6.

The relationship in which the input data to one unit can be obtained asoutput data from the other unit by making the output data from the oneunit be input data to the other is called a relation between normal andinverse transformations. The normal data transformation unit (FL) 251and the inverse data transformation unit (FL⁻¹) 271 are circuits whichrealize such relation between normal and inverse transformations.

Both of the 1-bit left rotational shifting unit 55 of FIG. 5 and the1-bit left rotational shifting unit 78 of FIG. 6 perform left shift,however, both can execute right shift. Furthermore, the normal datatransformation unit (FL) 251 and the inverse data transformation unit(FL⁻¹) 271 can be one of other configurations as long as they preservethe relation between normal and inverse transformations. For example,the number of shifts can be changed. Moreover, an AND circuit with “not”operation, an OR circuit with “not” operation, and/or an XOR circuitwith “not” operation can be added. Namely, as follows are showndefinitions of the AND circuit with “not” operation, the OR circuit with“not” operation, and the XOR circuit with “not” operation, representedby “andn”, “orn”, and “xorn”, respectively.

x andn y: (not x) and y

x orn y: (not x) or y

x xorn y: (not x) x or y

Some recent CPUs are provided with commands of “and”, “or”, and “xor”including “not”. These commands can be performed at the same cost as“and”, “or”, and “xor”.

FIG. 7 shows a conventional encryption unit 201 and a conventionaldecryption unit 501.

The conventional encryption unit 201 is equipped with two normal datatransformation units FL. Thus, the decryption unit should be equippedwith two inverse data transformation units FL⁻¹ in order to performinverse operations. Therefore, since the encryption unit generally has adifferent configuration from the decryption unit, the encryption unitand the decryption unit cannot share the same circuit.

On the other hand, as shown in FIG. 8, in the present embodiment, thenormal data transformation unit (FL) 251 and the inverse datatransformation unit (FL⁻¹) 271 are located side by side in theencryption unit 200, so that the decryption unit having the sameconfiguration can perform decryption. For example, the right data R istransformed by the normal data transformation unit (FL) 251 to get leftdata L′, and the left data L is transformed by the inverse datatransformation unit (FL⁻¹) 271 to get right data R′. In this case, theright data R can be obtained by inputting the left data L′ to theinverse data transformation unit (FL⁻¹) 271, and the left data L can beobtained by inputting the right data R′ to the normal datatransformation unit (FL) 251.

As described above, the encryption unit 200 and the decryption unit 500can be implemented by the same configuration, and the encryption unit200 and the decryption unit 500 can share the circuit.

FIG. 9 shows a configuration in which the normal data transformationunit (FL) 251 and the inverse data transformation unit (FL⁻¹) 271 arelocated at point symmetry on the non-linear data transformation unit280.

In this way, when the normal data transformation unit (FL) 251 and theinverse data transformation unit (FL⁻¹) 271 are located at pointsymmetry on the non-linear data transformation unit 280, the encryptionand the decryption can be performed using the same configuration.

FIG. 10 shows correspondence between the data transformation unit (FL)and the inverse data transformation unit (FL⁻¹) placed at pointsymmetry.

As shown in FIG. 10, in case of FIG. 3, the normal data transformationunit (FL) 251 and the inverse data transformation unit (FL⁻¹) 271 areplaced at point symmetry on the 6-round non-linear data transformationunit 220.

In FIGS. 3, 4, 8, and 9, the data transformation unit (FL) and theinverse data transformation unit (FL⁻¹) can be replaced with each other.Besides, in FIGS. 3, 4, 8, and 9, the right data R and the left data Lcan be replaced with each other.

FIG. 36 shows a configuration in which the encryption unit 200 consistsof the 6-round non-linear data transformation unit 210, and the 6-roundnon-linear data transformation unit 220, and the 6-round non-linear datatransformation unit 230.

The 6-round non-linear data transformation unit 210, the 6-roundnon-linear data transformation unit 220, and the 6-round non-linear datatransformation unit 230 are circuits that can be used for encryption anddecryption.

Here, a normal/inverse data transformation unit 211 consists of the6-round non-linear data transformation unit 210, and the normal datatransformation unit (FL) 250, and the inverse data transformation unit(FL⁻¹) 271. The normal/inverse data transformation unit is a circuitthat can be used for both encryption and decryption. Namely, thenormal/inverse data transformation unit is one normal/inversetransformation circuit in which the input data to the unit can beobtained as the output data from the other unit by making the outputdata from the unit be the input data to the other unit.

A normal/inverse data transformation unit 221 also consists of the6-round non-linear data transformation unit 220, and the normal datatransformation unit (FL) 251, and the inverse data transformation unit(FL⁻¹) 273.

In addition, a normal/inverse data transformation unit 231 consists ofthe 6-round non-linear data transformation unit 230, and the normal datatransformation unit (FL) 253, and the inverse data transformation unit(FL⁻) 275.

The encryption unit 200 is configured by cascading these normal/inversedata transformation units 211, 221, and 231. And this encryption unit200 can be also used as the decryption unit 500.

Besides, if a set of the 6-round non-linear data transformation unit210, the 6-round non-linear data transformation unit 220, the normaldata transformation unit (FL) 251, and the inverse data transformationunit (FL⁻¹) 271 is assumed to be a non-linear data transformation unit1210, the nonlinear data transformation unit 1210 is a circuit that canbe used for encryption and decryption. Here, a normal/inverse datatransformation unit 1211 consists of the non-linear data transformationunit 1210, the normal data transformation unit (FL) 250, and the inversedata transformation unit (FL⁻¹) 273.

Further, if a set of the 6-round non-linear data transformation unit220, the 6-round non-linear data transformation unit 230, and the normaldata transformation unit (FL) 253, and the inverse data transformationunit (FL⁻¹) 273 is assumed to be a non-linear data transformation unit1220, a normal/inverse data transformation unit 1221 consists of thenon-linear data transformation unit 1220, the normal data transformationunit (FL) 251, and the inverse data transformation unit (FL⁻¹) 275.

The normal/inverse data transformation units 1211 and 1221 can be usedfor the decryption unit.

Further, if a set of the 6-round non-linear data transformation units210 through 230 is assumed to be a non-linear data transformation unit2210, the non-linear data transformation unit 2210 is a circuit that canbe used for both encryption and decryption.

Here, the non-linear data transformation unit 2210, the normal datatransformation unit (FL) 250, and the inverse data transformation unit(FL⁻¹) 275 form a normal/inverse data transformation unit 2211.

The normal/inverse data transformation unit 2211 can be used for thedecryption unit.

As described above, the encryption unit 200 or the decryption unit 500can be configured by cascading multiple normal/inverse datatransformation units.

Further, in the encryption unit 200 or the decryption unit 500, thenormal/inverse data transformation unit can be formed hierarchically bynesting the normal/inverse data transformation unit within thenormal/inverse data transformation unit.

FIG. 37 shows a case in which the encryption unit 200 and the decryptionunit have the same configuration including the 6-round non-linear datatransformation unit 210.

In FIG. 37, the 6-round non-linear data transformation unit 210 includeseven rounds of non-linear data transformation units 280 as shown inFIGS. 3 and 4. Data A is transformed into data A′ by a first inputnormal data transformation unit 256, the data A′ is input to a firstinput port 261, the data A′ input from the first input port 261 isoutput from a first output port 263 as data A₁′. Further, data B inputfrom a second input port 262 is output from a second output port 264 asdata B₁. The data B₁ output from the second output port 264 istransformed into data B₁′ by a second output inverse data transformationunit 279.

The data A₁′ output from the first output port 263 of the encryptionunit 200 is input to the second input port 262 of the decryption unit500 as the data A₁′. The data B₁′ output from the second output inversedata transformation unit 279 is input to the first input normal datatransformation unit 256 as the data B₁′, and output as the data B₁.

The non-linear data transformation unit 210 inputs the data B₁ andoutputs the data B. Further, the non-linear transformation unit 210inputs the data A₁′ and outputs the data A′. The second output inversedata transformation unit 279 inputs the data A′ and outputs the data A.

In FIG. 38, the odd-round non-linear data transformation unit 219includes odd rounds of non-linear data transformation units 280.Accordingly, the data A′ input from the first input port 261 is outputfrom the second output port 264 as the data A₁′. Then the data A₁′ istransformed by the second output inverse data transformation unit 279,and output as the data A₁″. Further, the data B input to the secondinput port 262 is output from the first output port 263 as the data B₁.

The data B₁ output from the first output port 262 of the encryption unit200 is input to the second input port 262 of the decryption unit 500 asthe data B₁. The data A₁″ output from the second output inverse datatransformation unit 279 of the encryption unit 200 is input to thedecryption unit 500 as the data A₁″ and input to the first input normaldata transformation unit 256.

In cases of FIGS. 37 and 38, the encryption unit 200 and the decryptionunit 500 have the same configuration, performing encryption anddecryption.

FIG. 39 shows a case in which the second input normal datatransformation unit 257 is provided at the second input port 262, andthe first output inverse data transformation unit 278 is provided at thefirst output port 263.

FIG. 40 shows a case in which the first input inverse datatransformation unit 276 is provided at the first input port 261, and thesecond output normal data transformation unit 259 is provided at thesecond output port 264.

FIG. 41 shows a case in which the normal/inverse data transformationunits 256, 258 are provided at the left input/output ports 261, 263, andthe inverse data transformation units 277, 279 are provided at the rightinput/output ports 262, 264.

FIG. 42 shows a case in which FIGS. 39 and 40 are combined.

Another case can be implemented by combining FIGS. 37 and 39, which isnot shown in the figure. Further, FIGS. 38 and 39 can be combined.Further, the 6-round (even-round) non-linear data transformation unit210 can be replaced with the odd-round non-linear data transformationunit 219 in FIGS. 37, 39 through 42, which are not shown in the figures.In cases of FIGS. 39 through 42, the encryption unit and the decryptionunit can be implemented by the same configuration.

Embodiment 2

FIG. 11 shows a configuration of a non-linear function unit F of thenon-linear data transformation unit 280.

The non-linear function unit F inputs F function input data 10, performsnon-linear transformation, and outputs F function output data 40. The Ffunction input data 10 having 64 bits is divided into eight pieces ofdata, and processed in the unit of 8 bits. Each 8-bit data is input toeach of eight XOR circuits 12 of a key function unit 25, XORed with anextension key 11, and performed non-linear transformation usingsubstitution at an S function unit 20. Then, at a P function unit 30,two pieces of 8-bit data are XORed by sixteen XOR circuits 815, and the64-bit F function output data 40 is output. In the S function unit 20,four S-box first transformation units 13 and four S-box secondtransformation units 14 are provided.

FIG. 12 shows an implementation example of the S-box firsttransformation unit 13 and the S-box second transformation unit 14.

Inside the S-box first transformation unit 13, a transformation table Tis provided The transformation table T previously stores values of 0through 255 arbitrarily (at random) corresponding to values of 0 through255. The transformation table T inputs values of 0 through 255 andoutputs the value (value of 0 through 255) corresponding to each value.For example, when 1 is input, the transformation table T outputs 7. Thetransformation table T performs non-linear transformation determinedunder consideration of security, e.g., checking if the function isbijective or not, the maximum differential probability is sufficientlysmall or not, and so on.

The S-box second transformation unit 14 includes the S-box firsttransformation unit 13 and a 1-bit left rotational shifting unit 22 (inthe figure, “<<<” of “<<<1” shows the left rotational left shift and “1”shows 1 bit). The 1-bit left rotational shifting unit 22 performs leftrotational shift by 1 bit to an output from the S-box firsttransformation unit 13. For example, when 1 is input, the S-box firsttransformation unit 13 outputs 7, and 1-bit left rotational shiftingunit 22 outputs 14.

If the S-box first transformation unit 13 and the S-box secondtransformation unit 14 are configured as shown in FIG. 12, one canobtain an effect, which is similar to the case in which two kinds of thetransformation tables T are provided, though it is not required to havetwo kinds of transformation tables T. By including only onetransformation table T, the memory usage required for storing thetransformation table T can be decreased, and the circuit scale can bereduced.

Further, as shown in FIG. 27, by providing a 1-bit right rotationalshifting unit (“>>>1” of the S-box third transformation unit 15 in FIG.27) as well as, or, instead of the 1-bit left rotational shifting unit22, a similar effect can be obtained to a case in which a differenttransformation table T is further provided. In another way, it is alsopossible to transform input data y using the transformation table Tafter shifting the input data y by the 1-bit left rotational shiftingunit (“<<<1” of the S-box fourth transformation unit 16 in FIG. 27)provided for the input data y. FIG. 27 shows cases of s(y), s(y)<<<1,s(y)>>>1, s(y<<<1), but cases of s(y>>>1), s(y>>>1)<<<1, s(y<<<1)>>>1,s(y>>>1)<<<1, s(y>>>1)>>>1 are also applicable. By making the shiftedamount 1 bit, it sometimes becomes possible to perform faster than casesof shifting by 3 bits or 5 bits in case that CPUs, etc. have only 1-bitshift command. Further, when this shifting process is performed byhardware which performs only 1-bit shifting, it sometimes becomespossible to perform faster. Further, the shifting is not limited toperformed by 1 bit, but an arbitrary number of bits such as 2 bits, 3bits can be used. By shifting by an arbitrary number of bits, itsometimes becomes possible to obtain a similar effect to providingdifferent kinds of tables.

FIG. 28 shows an S function unit 20 using the four S-box first throughfourth transformation units 13, 14, 15, 16 shown in FIG. 27.

Another configuration of the P function unit 30 is shown in FIG. 31.

From 8-bit input data y₁, y₂, y₃, y₄, 32-bit data Z₁, Z₂, Z₃, Z₄ areobtained by referring to S1, S2, S3, S4, respectively, and they areXORed at a circuit 913. From 8-bit input data y₅, y₆, y₇, y₈, 32-bitdata Z₅, Z₆, Z₇, Z₈ are obtained by referring to S2, S3, S4, S1,respectively, and they are XORed at a circuit 916. This XORed result U₂and the former XORed result U₁ are XORed at a circuit 917 to output z₁′,z₂′, z₃′, z₄′. Then, the XORed result U₁ from the circuit 913 is shiftedto the left by 1 byte (in FIG. 31, “<<<1” represents 1-byte rotationalshift, not 1-bit rotational shift) at a circuit 918. The shifted resultis XORed with the output from the circuit 917 to output z₅′, z₆′, z₇′,z₈′.

As shown in (a) through (d) of FIG. 33, S1 is configured using the S-boxfirst transformation unit 13, S2 is configured using the S-box secondtransformation unit 14, S3 is configured using the S-box thirdtransformation unit 15, S4 is configured using the S-box fourthtransformation unit 16. The 8-bit output data from each transformationunit is copied four times to make 32-bit data, and further, 32-bit datais masked to output only three pieces of the data (24-bit).

The 1-byte rotational shift of the circuit 918 is a cyclic shifting by aunit of bit length (8 bits=1 byte) which is processed by the S-box.

FIG. 32 shows the P function unit whose configuration is equivalent toFIG. 31, but implementation is different.

From 8-bit input data y₁, y₂, y₃, y₄, 32-bit data Z₁, Z₂, Z₃, Z₄ areobtained by referring to S5, S6, S7, S8, and they are XORed at a circuit933 to output an operation result A. From 8-bit input data y₅, y₆, y₇,y₈, 32-bit data Z₅, Z₆, Z₇, Z₈ are obtained by referring to S9, SA, SB,SC, and they are XORed at a circuit 936 to output an operation result B.The operation result B is shifted rotationally to the right by 1 byte(in FIG. 32, similarly to FIG. 31, shifting is performed by a unit ofbit length (8 bits=1 byte) which is processed by the S-box, not 1 bit)at a circuit 937 and the operation result B and the operation result Aare XORed at a circuit 938. This operation result C is shiftedrotationally to upper (left) by 1 byte at a circuit 939, and theoperation result C is also XORed with the operation result A at acircuit 940. This operation result D is shifted rotationally to upper(left) by 2 byte at a circuit 941, and the operation result D is alsoXORed with the output from the circuit 939 at a circuit 942. Thisoperation result E is shifted rotationally (to the right) by 1 byte at acircuit 943, and the operation result E is also XORed with the outputfrom the circuit 941 at a circuit 944. Output F from the circuit 944 isoutput as z₁′, z₂′, z₃′, z₄′, and output from the circuit 943 is outputas z₅′, z₆′, z₇′, z₈′.

S5 and SC are configured using the S-box first transformation unit 13and a logical shift, S6 and S9 are configured using the S-box secondtransformation unit 14 and a logical shift, S7 and SA are configuredusing the S-box third transformation unit 15 and a logical shift, S8 andSB are configured using the S-box fourth transformation unit 16 and alogical shift. The logical shift is used for outputting 8-bit outputdata from each transformation unit to a predetermined location withinthe 32-bit output data. The logical shift is set to shift to the left by0 byte in S5 and SA, 1 byte in S6 and SB, 2 bytes in S7 and SC, 3 bytesin S8 and S9 Namely, assuming 8-bit output from the transformation unitas z, 32-bit output can be represented as [0,0,0,z] (0 shows each ofeight bits is 0) in S5 and SA, [0,0,z,0] in S6 and SB, [0,z,0,0] in S7and SC, [z,0,0,0] in S8 and S9.

It is possible to implement using substitution tables whose input is8-bit and output is 32-bit, which is calculated for directly producingpredetermined output.

In cases of FIGS. 31 and 32, the apparatus can be provided, whichperforms transformation at higher speed than the transformation used forthe conventional E2 cipher shown in FIG. 26, and further on whichflexible implementation is possible.

In FIG. 11, when the S-boxes of the S function unit 20 are configuredrespectively by different kinds of S-boxes, eight transformation tablesT are required. On the other hand, when the S-boxes are configured asshown in FIG. 12, the memory usage required for storing thetransformation tables T can be reduced to at least a half.

Further, eight pieces of 8-bit data are input time-divisionally to theS-box first transformation unit 13 and the S-box second transformationunit 14 shown in FIG. 12, so that the conventional eight respectiveS-boxes can be replaced by the S-box first transformation unit 13 andthe S-box second transformation unit 14.

FIG. 13 shows another example of the S-box of the S function unit 20.

The concrete configuration is explained in detail in Matui, Sakurai,“Galois Field division circuit and shared circuit for multiplication anddivision” (Japanese Patent Registration No 2641285 [May 2, 1997]).

8-bit data is input to the S-box transformation unit 21, and 8-bit datais output. The S-box transformation unit 21 is configured by an N-bit(here, N=8) linear transformation unit 17, a subfield transformationunit 18, and an N-bit linear transformation unit 19. The N-bit lineartransformation unit 17 performs operations of 8-bit data. The subfieldtransformation unit 18 performs operations of only 4-bit data which areelements of Galois Field GF (2⁴). The N-bit linear transformation unit19 performs an operation of 8-bit data. A linear transformation unit 85of the N-bit linear transformation unit 17 is a circuit which performsthe linear transformation shown in FIG. 14. A linear transformation unit87 is a circuit which performs the linear transformation shown in FIG.15.

The linear transformation unit 85 can be replaced by a circuit whichperforms an affine transformation (a linear transformation can beconsidered as one style of affine transformations). Similarly, thelinear transformation unit 87 can be replaced by a circuit whichperforms another affine transformation. The linear transformation unit85 transforms 8-bit data (X) into 8-bit data (X′). The obtained 8-bitdata (X′) is assumed to be an element of Galois Field (2⁸). The upper4-bit data and the lower 4-bit data (X₁ and X₀) of data X′ arerespectively assumed as elements of the subfield Galois Field (2⁴) andoutput to the subfield transformation unit 18. Here, for example, let anelement β of GF (2⁸) be an element which satisfies the irreduciblepolynomial X⁸+X⁶+X⁵+X³+1=0, and α=β²³⁸, a base of the subfield GF (2⁴)can be represented as [1, α, α², α³]. If the elements of GF (2⁴), X₀,X₁, are represented using this, the following relationship can beestablished as X′=X₀+βX₁. (For details, refer to Matui, Sakurai, “GaloisField division circuit and shared circuit for multiplication anddivision” (Japanese Patent Registration No. 2641285 [May 2, 1997])). Thesubfield transformation unit 18 is configured only by operation unitseach of which performs operations of 4-bit data.

Here, as an example of extracting “subfield”, the subfield GF (2^(m))where n=2m can be considered for given GF (2^(n)). In this example, n=8,m=4.

The subfield transformation unit 18 is an inverse element circuit usingthe subfield constructed by the circuit shown in “Galois Field divisioncircuit and shared circuit for multiplication and division” (PatentRegistration No. 2641285 [May 2, 1997]). As an operation result of thisinverse element circuit, upper 4-bit data and lower 4-bit data (Y₁ andY₀), each of which can be assumed as an element of GF (2⁴), are outputto the linear transformation unit 87 as 8-bit data Y which can beassumed as an element of GF (2⁸) where Y=Y₀+βY₁. As explained above,this inverse element circuit is a circuit for computingY=Y₀+βY₁=1/(X₀+βX₁). Further, there are some ways of taking a “basis”,such as a “polynomial basis” and a “normal basis”, in representing theelement of “finite field” (how to take a basis) in the inverse elementcircuit.

A first characteristic of the S-box transformation unit 21 shown in FIG.13 is to compute data with a bit width (4 bits) which is a half of thebit width (8 bits) of the data input for the non-linear transformation.Namely, the inverse element circuit is characterized by performingoperations of only 4-bit data.

Although the computation speed may be decreased by performing only 4-bitoperations. This case has an advantage in that a scale of a wholecircuit can be much smaller than a case of performing operations of8-bit data.

Further, a second characteristic of the S-box transformation unit 21 isthat the N-bit linear transformation unit 17 and the N-bit lineartransformation unit 19, where N=8, are provided at both sides of thesubfield transformation unit 18. When the S-box transformation unit 21is implemented using the subfield transformation unit 18, there is anadvantage that a scale of the whole circuit can be reduced and theconfiguration becomes simpler compared with a case employing atransformation table T storing random values, while on the contrary, thesecurity may be decreased. Accordingly, the linear transformations orthe affine transformations are performed at both sides of the subfieldtransformation unit 18, so that the reduction of the security level dueto implementing using the subfield transformation unit 18 can berecovered

In FIG. 13, the linear transformations are performed at both sides ofthe subfield transformation unit 18, however, the linear transformationcan be performed only at one side. In another way, the lineartransformation can be performed at one side, and the affinetransformation can be performed at the other side.

FIG. 29 shows a case in which the key function unit 25 shown in FIG. 11,that is, the key function unit 25 placed before the S function unit 20and the P function unit 30, is now placed after the S function unit 20and the P function unit 30.

FIG. 30 shows a case in which the key function unit 25 is placed betweenthe S function unit 25 and the P function unit 30.

By employing the configuration shown in FIG. 29 or FIG. 30, one can havean effect that an implementation provides a higher-speed operation thanthe configuration shown in FIG. 11 does. Further, by modifying thegeneration of the extension keys, the same output can be obtained usingthe configuration shown in FIG. 29 or FIG. 30 from the same input as theconfiguration of FIG. 11. In the conventional F function unit shown inFIG. 26, two S functions are provided, in each of which first anoperation with the extension key is performed and then an operation ofthe S function is performed. On the contrary, in the case shown in FIG.29, a key function unit 25 is placed at the final stage of the Ffunction. In the case shown in FIG. 30, the key function unit 25 isplaced between the S function unit 20 and the P function unit 30.

FIG. 43 shows a case in which the non-linear transformation unit F shownin FIG. 28 is employed in the encryption unit 200 or the decryption unit500 shown in FIG. 3.

Left data is input to the non-linear transformation unit F as F functioninput data 10, and F function output data 40 is output. The F functionoutput data 40 is XORed with right data, and the XORed result becomesleft data of the next round. When the left data is input to thenon-linear transformation unit F as the F function input data 10, at thesame time, the left data is used as right data of the next round. In theconfiguration shown in FIG. 43, operations of the key function unit 25,the S function unit 20, and the P function unit 30 are performed in thenon-linear transformation unit F, so the operation load becomes largewithin the non-linear transformation unit F. An example case in which ahigher-speed processing can be achieved by distributing the operationload of the non-linear transformation unit F will be explained belowreferring to the figures.

FIG. 44 shows a case in which the non-linear transformation unit F′ isused. The non-linear transformation unit F′ is one where the keyfunction unit 25 is removed from the non-linear transformation unit Fshown in FIG. 43. The extension key k₁ is XORed with left data L₀ at anXOR circuit 891. Further, the extension key k₂ is XORed with right dataR₀ at an XOR circuit 297. The left data is input to the non-lineartransformation unit F′ as the F function input data 10, and transformedby the S function unit 20 and the P function unit 30. Output from theXOR circuit 297 and the F function output data 40 are XORed at an XORcircuit 290 to output left data L₁.

On the other hand, the key generating units 300, 600 perform an XORoperation of the extension keys k₁ and k₂ and output the modifiedextension key k₁+k₃. The output R₁ of the XOR circuit 891 and theextension key k₁+k₃ are XORed at an XOR circuit 298 to output the rightdata. The key generating units 300, 600 modify the extension keys togenerate and output k₁+k₃, k₂+k₄, k₃+k₅, . . . , k₁₆+k₁₈. The keygenerating units 300, 600 supply the modified extension keys to theprocesses other than the non-linear function process (F) to operate withthe data. As a result, left data L₁₈ and right data R₁₈ become the sameas the left data L₁₈ and the right data R₁₈ in case of FIG. 43.

The modified extension keys are supplied to the processes other than thenon-linear function process (E) and operated with the data, andconsequently, the operations with the key data can be performed outsidethe non-linear function unit F′, namely, at the XOR circuits 297 and298, while the operations of the S function unit 20 and the P functionunit 30 are performed in the non-linear function unit F′. Therefore, theoperations of the key function unit 25 are eliminated from thenon-linear function unit F, and the load of the non-linear function unitF is distributed, which enables a high-speed implementation.

FIG. 45 shows a case in which operations of the whitening extension keykw₁ are performed as well as operations of the other extension keys inthe configuration shown in FIG. 44. FIG. 45 shows a case in which thekey generating unit previously performs an XOR operation of a part ofthe whitening extension key kw_(1high) and the first extension key k₁(namely, the key generating unit modifies the extension key) andsupplies the operation result to the XOR circuit 891.

The figure also shows a case in which the key generating unit previouslyperforms an XOR operation of a part of the whitening extension keykw_(1low) and the second extension key k₂ (namely, the key generatingunit modifies the extension key) and supplies the operation result tothe XOR circuit 297.

In this way, the operation at the XOR circuit 293 shown in FIG. 44 canbe eliminated. Further, in a case shown in FIG. 45, the key generatingunit performs an XOR operation of a part of the whitening extension keykw_(2low) and the extension key k₁₇ (namely, the key generating unitmodifies the extension key) and supplies the operation result to the XORcircuit 299. Yet further, the key generating unit performs an XORoperation of the other part of the whitening extension key kw_(2high)and the extension key k₁₈ (namely, the key generating unit modifies theextension key) and supplies the operation result to the XOR circuit 892.

In this way, the operation of the XOR circuit 296 shown in FIG. 44 iseliminated.

FIG. 46 shows a case in which the key function unit 25 is removed fromthe non-linear function unit F, and instead, the key generating unitsupplies the extension key k to the XOR circuit 298 when the non-linearfunction unit F is configured as shown in FIG. 29.

FIG. 47 shows a case in which the key function unit 25 is removed fromthe non-linear function unit F, and instead, the key generating unitsupplies the non-linearly transformed extension key k′=P(k) to the XORcircuit 298 when the non-linear function unit F is configured as shownin FIG. 30. In the case of FIG. 47, the same operation as performed bythe P function process is performed on the key data to generatenon-linearly transformed key data, and the non-linearly transformed keydata is supplied to the processes other than the non-linear functionprocess (F) for processing data to be operated with the data as the keydata for processing data. In both cases of FIGS. 46 and 47, because thekey function unit 25 is eliminated from the non-linear function unit F,the operation load of the non-linear function unit F is reduced, and theoperation of the XOR circuit 298 located outside the non-linear functionunit F can be performed in parallel with the operations performed by thenon-linear function unit F, which enables a high-speed processing.

Embodiment 3

FIG. 16 shows a configuration of the key generating unit 300 (or the keygenerating unit 600) shown in FIG. 1 The key generating unit 300includes a bit length transformation unit 310, a first G-bit keytransformation unit 320, a second G-bit key transformation unit 330, anda key shifting unit 340. From the input key data having 128 bits, 192bits, or 256 bits, the key generating unit 300 generates 128-bit keydata K₁ and 128-bit key data K₂, and outputs plural 64-bit extensionkeys. The bit length transformation unit 310 converts the bit length ofthe key data to be output so that the bit length of the output key databecomes fixed even if the key data having different number of bits isinput. In other words, the bit length transformation unit 310 generateskey data SK_(high) of upper 128 bits and key data SK_(low) of lower 128bits and outputs the former to the first G-bit key transformation unit320 and the key shifting unit 340. Further, the latter is output to thesecond G-bit key transformation unit 330 and the key shifting unit 340.Further, 128-bit key data which is an XORed result of the former and thelatter is output to the first G-bit key transformation unit 320.

FIG. 17 shows inside operations of the bit length transformation unit310.

When the 128-bit key data is input to the bit length transformation unit310, the input key data is output as key data SK_(high) of the upper 128bits without any change. Further, key data SK_(low) of the lower 128bits is set to 0 and output.

When the 192-bit key data is input to the bit length transformation unit310, the upper 128-bit data of the input key data is output as the upper128-bit key data SK_(high) without any change. Further, the lower128-bit key data SK_(low) is generated by combining the lower 64 bits ofthe input 192-bit key data and the inverse 64-bit data, which isgenerated by inverting the lower 64-bit data of the input 192-bit keydata, and output.

When 256-bit key data is input, the upper 128-bit data of the input keydata is output as SK_(high), and the lower 128-bit data is output asSK_(low).

An XOR data of the 128-bit key data SK_(high) and SK_(low) is input tothe first G-bit key transformation unit 320 from the bit lengthtransformation unit 310, operated by two round non-lineartransformations, XORed with the upper 128-bit key data SK_(high),further operated by two round non-linear transformations, and 128-bitkey data K₁ is output.

When the length of the key data input to the bit length transformationunit 310 is 128 bits, the key shifting unit 340 generates the extensionkey using the 128-bit key data output from the first G-bit keytransformation unit 320 and the key data originally input. When thelength of the key data input to the bit length transformation unit 310is 192 bits or 256 bits, the 128-bit key data output from the firstG-bit key transformation unit 320 is further input to the second G-bitkey transformation unit 330, XORed with the lower 128-bit key dataSK_(low) , operated by two round non-linear transformations, and 128-bitkey data K₂ is output. Two pieces of 128-bit key data, from the firstG-bit key transformation unit 320 and the second G-bit keytransformation unit 330, are output to the key shifting unit 340. Thekey shifting unit 340 generates the extension key using the two piecesof 128-bit key data and the key data originally input.

The key shifting unit 340 includes a shift register A 341, a shiftregister B 342, a shift register C 343, a shift register D 344, and ashift control unit 345. The shift control unit 345 outputs a selectsignal 346 to each of the shift registers to control the operations ofthe shift registers.

FIG. 18 shows a configuration of the shift register A341.

The shift register A 341 includes a selector A 347 having a group ofswitches for 128 bits and a register A 348 having 128 bits. A selectsignal 346 includes a switch signal to indicate to connect all theswitches of the selector A 347 at the same time to either of A side andB side. The figure shows a case in which the group of switches of theselector A 347 has selected A based on the select signal 346, and inthis case, the register A 348 performs a rotational shift to the left by17 bits. Further, when the group of switches is connected to B, theregister A performs the rotational shift to the left by 15 bits. The15-bit shift or 17-bit shift is performed by one clock cycle.

The number of shifting bits (15, 17) is one of examples, and othernumber of shifting bits can be applied.

FIG. 19 shows a part of a control table stored in the shift control unit345.

The control table is a table storing how many bits the register shiftsat each clock. For example, in the register A control table, at thefirst clock, it is specified to shift by 15 bits. And, at the secondclock, it is specified to shift by further 15 bits. Similarly, at eachof the third clock and the fourth clock, it is specified to shift by 15bits. At each of the fifth through the eighth clock, it is specified toshift by 17 bits.

FIG. 20 shows a control result under which the shift control unit 345controls each shift register using the table shown in FIG. 19 in case ofgenerating the extension key from the 128-bit key data.

The upper 128-bit key data SK_(high) input from the bit lengthtransformation unit 310 is set in the shift register A 341. The 128-bitkey data K₁ output from the first G-bit key transformation unit 320 isset in the shift register B 342. Under this condition, the shiftregister A 341 and the shift register B 342 operate based on the controltable shown in FIG. 19. In FIG. 20, data in a column having a slantshows to be ignored and not to be output. Data in the other columns areoutput as extension keys as shown in FIG. 21.

FIG. 21 shows a correspondence between the value of the registers andthe extension key.

FIG. 20 shows a case in which four shifts are performed by 15 bits ateach clock, and from the fifth clock, shifts are performed by 17 bits ateach clock. Decision to output or not to output the upper 64 bits andthe lower 64 bits from the shift register A 341 and the shift register B342 as the extension key and its outputting order are specified in thecontrol table, which is not shown in the figure. And according to thecontrol table, by outputting the select signal 346 including an outputinstruction signal to the shift register, the extension key is outputfrom each shift register by 64 bits.

FIG. 22 shows a case in which the extension key is generated from the192-bit or 256-bit key data.

Namely, the upper 128-bit key data SK_(high) input from the bit lengthtransformation unit 310 is set in the shift register A 341, the lower128-bit key data SK_(low) is set in the shift register B 342, the128-bit key data K₁ output from the first G-bit key transformation unit320 is set in the shift register C 343, and the 128-bit key data K₂output from the second G-bit key transformation unit 330 is set in theshift register D 344.

Data in a column having a slant shows keys not used for the extensionkeys.

FIG. 23 shows a correspondence between the value of the register and theextension key.

The keys not used for the extension keys and the correspondence betweenthe value of the register and the extension key shown in FIG. 23 arestored in the control table located in the controller.

As shown in FIG. 19, the shift control unit 345 stores the number ofbits for shifting the key data set in the shift register A 341. Namely,the extension keys are generated sequentially by shifting the key dataset in the shift register A 341 by Z₀=0 bit, Z₁=15 bits, Z₂=45 bits,Z₃=60 bits, Z₄=77 bits, Z₅=94 bits, Z₆=111 bits, and Z₇=128 bits asshown in the shift register A control table.

The sum of the number of shifting bits becomes15+15+15+15+17+17+17+17=128, so that the 128-bit register performs the128-bit rotational shift and the register returns to the initial status.

The reason why the sum of the number of shifting bits is made 128 bits(the number of bits of the register) to return to the initial status isthat the next processing can be started at once if the next processingis assigned to the register of the initial status. Further, in case ofperforming an inverse transformation (decryption), the process forgenerating the extension key is started from the initial status, andaccordingly, both of the transformation (encryption) and the inversetransformation (decryption) can be performed by setting the initialstatus. Further, the reason why the sum of the number of shifting bitsis not made greater than 128 bits (the number of bits of the register)is to prevent the generation of identical values as the status withinthe same shift register due to performing the shift more than one cycle(greater than 128 bits of shift). This is because, for example,performing the rotational shift by 2 bits, which is less than 128 bits(the number of bits of the register) and performing the rotational shiftof 130 bits, which is greater than 128 bits (the number of bits of theregister), produce the identical value. It is desirable to set suchvalues in the register A control table that, on performing the shifts ofthe register by one cycle, the number of shifting bits variesirregularly through the one cycle. However, in order to facilitate theconfiguration of the shift register, it is desired to shift by the fixednumber of bits. Therefore, one register is configured to perform twokinds of shifts by 15 bits and 17 bits (at one clock), and the shiftoperation by different number of bits can be implemented using the twokinds of shifts, according to the following procedure.

Set the relation so that Z₁−Z₀=15 (here, Z₁−Z₀=B₁), Z₂−Z₁=30 (namely,Z₂−Z₁=2B₁), therefore, Z₂−Z₁=2 (Z₁−Z₀). Further, as shown in the shiftregister B control table, set the relation so that Z₅−Z₄=34 (here,Z₅−Z₄=2B₂), Z₆−Z₅=17 (namely, Z₆−Z₅=B₂) therefore, Z ₅−Z₄=2 (Z₆−Z₅).Namely, the differences between the numbers of shifting bits are made 15bits and 30 bits, or 17 bits and 34 bits, and the number of shiftingbits (30 bits or 34 bits) is set to an integral multiple (2 times=Itimes) of the number of bits (15 bits and 17 bits) for one timeshifting.

In this way, as the differences of the number of shifting bits are setto either the number of shifting bits for one time or the multiple bythe integer which is greater than two (I times, I is an integer greaterthan 2) and the number of shifting bits for one time, by operating theshift register A 341 one time or two times (I times), it is possible toeasily implement shift operations of which the number of shifting bitsstored in the control table. To operate two times (I times) means thatthe shift operation finishes with two clocks (I clocks) of the operationclock supplied for operating the shift register A 341.

Here, on shifting I times (two times), both the higher data and thelower data of the shifted data up to I−1 times (2−1=1 time) are ignoredand are not used for the extension key. For example, in case of shiftingfrom Z₁=15 to Z₂=45, I=(Z₂−Z₁)/(the number of shifting bits at onetune)=(45−15)/15=2, and both the higher data and the lower data of theshifted data after shifting I−1 times (2−1=1 time) are ignored and arenot used for the extension key. This can be seen in FIG. 20, in whichthe columns of key[8] and key[9] have slants, showing that these keysare not used for the extension keys. And either or both of the higherdata and the lower data of the shifted data after shifting I times (2times) is or are used as the extension key. This can be seen in FIG. 20,which shows key[12] and key[13] are output as the extension keys.

The reasons why the shift operation based on multiple by the integergreater than two is employed as described above are to enable to performthe shifting of not only 15 bits or 17 bits, but also 30 (=15×2) bits,34 (=17×2) bits (or 45 (32 15×3) bits or 51 (=17×3) bits, etc.), whichvaries the number of shifts and further to improve the security. And,the reason why the cases are provided in which the shifted data is notused for the extension key is also to improve the security.

It is desired to generate the data which is not used for the extensionkey (in FIGS. 20 and 22, keys of columns having slants, which are notused for the extension keys) when, for example, the processing of thehardware or the processing of the program is not consecutivelyperformed. For concrete examples, in FIG. 3, it is desired to generatesuch data when the operations of the normal data transformation unit(FL) and the inverse data transformation unit (FL⁻¹) are performed, orbefore or after such operations or at idle times of processes orswitching times of processes such as a function call by a program, asubroutine call, or an interrupt handling process.

The characteristics of the control table shown in FIG. 19 is that thecontrol table specifies the number of shifting bits of B₁=8×2−1=15(B₁=8×J₁−1, where J₁ is an integer greater than 1) and the number ofshifting bits of B₂=8×2+1=17 (B₂=8×J₂+1, where J₂ is an integer greaterthan 0, J₁=J₂ or J₁≠J₂). To set the shifting amount to a ±1 of theintegral multiple of 8 is to perform the shift by odd bits, whichimproves the security compared with performing the shift only by evenbits, since the operation of the extension key in the data processingunit is made by 8-bit unit, that is, even bits unit. And since theshifting amount can be set by adding/subtracting 1 bit to/from themultiple of 8, for example, on some CPU which has only 1-bit shiftingcommand, the shift operation such as above performs a high-speedprocessing compared with shifting by 3 bits or 5 bits. And also, in casethat this shift operation using the hardware which can shift only 1 bit,there are cases possible to perform a high-speed processing.

In the above description of the bit length transformation unit 310,three kinds of bit widths of key data are input. Even when the key datahaving Q bit length, in which Q is between 128 bits (G bits) and 256bits (2G bits) (G<Q<2G), the bit length transformation unit 310 canextend the key data to the same size of the key data when the 256-bitkey data is input, using some kind of algorithm. Namely, when the keydata having length of Q, which is between G bits and 2G bits, is input,the bit length transformation unit 310 can convert the key data of Qbits into the key data of 2G bits.

Next, non-existence proof of an equivalent key will be explainedreferring to FIG. 34.

In the following explanation of FIG. 34, “+” denotes an XOR operation.

Here, it is assumed to input two 128-bit key data SK1 and SK2 (SK1≠SK2),and that the bit length transformation unit 310 outputs SK1_(high)=SK1=(SKH1|SKL1) from SK1 and SK2 _(high)=SK2=(SKH2|SKL2) fromSK2. Here, SKHi (i=1,2) means the upper 64-bit data of SKi and SKLi(i=1,2) means the lower 64-bit data of SKi.

Assuming that XOR data of SKH1 and SKH2 is ΔA and XOR data of SKL1 andSKL2 is ΔB, it can be said “at least ΔA≠0 or ΔB≠0” since SK1≠SK2.

As shown in FIG. 34, these ΔA and ΔB become ΔA+ΔD, ΔB+ΔC, respectively,by receiving the two rounds of non-linear transformations. This meansthat XOR data (ΔA|ΔB) of SK1 _(high) and SK2 _(high) becomes XOR data(ΔA+ΔD|ΔB+ΔC) after performing the two rounds of non-lineartransformations to SK1 _(high) and the transformed data after performingthe two rounds of non-linear transformations to SK2 _(high).Accordingly, when these pieces of data after performing the two roundsof non-linear transformations are XORed with SK1 _(high) and SK1_(high), respectively, at an XOR circuit 999, the XORed results of twopieces of data become (ΔD|ΔC). If the non-linear transformation is abijective function, inputting ΔX≠0 always causes to output ΔY≠0, so thatwhen “at least ΔA≠0 or ΔB≠0”, it can be said “at least ΔC≠0 or ΔD≠0”.Therefore, since it is impossible to output the same data from SK1_(high) and SK2 _(high) through the two rounds of non-lineartransformations, non-existence of the equivalent key is proved.

On the other hand, as shown in FIG. 35, another case will be considered,in which the three rounds of non-linear transformations are performedinstead of two rounds of non-linear transformations. Since it can besaid “at least ΔA≠0 or ΔB≠0”, there may be a case such that either A Aor ΔB can be 0. If ΔA=0, ΔC=0, and in the same manner as discussedabove, the XOR data (0|ΔB) of SK1 _(high) and SK2 _(high) becomes theXOR data (ΔB+ΔE|ΔE|ΔD) after performing the three rounds of non-lineartransformations to SK1 _(high) and the transformed data after performingthe three rounds of non-linear transformations to SK2 _(high).Accordingly, when these pieces of data after receiving the three roundsof non-linear transformations are XORed with SK1 _(high) and SK2_(high), respectively, at the XOR circuit 999, the XORed results of twopieces of data become (ΔB+ΔE|ΔB+ΔD). Here, when it is assumedΔB=ΔD=ΔE≠0, the following is true: (ΔB+ΔE|ΔB+ΔD)=(0|0). That is, whenthese pieces of data after performing the three rounds of non-lineartransformations are XORed with SK1 _(high) and SK2 _(high),respectively, the operation results are the same. Namely, SK1 _(high)and SK2 _(high) output the same data, so that the equivalent keys exist,which are troublesome in respect of the security.

Not only the above-mentioned case of three-round non-lineartransformation, a general non-linear transformation may output theequivalent K₁ from different SK1 and SK2, that means an equivalent keymay exist. However, it is possible to prove the non-existence of theequivalent key when the two-round non-linear transformation according tothe present embodiment is employed.

Further, there may be another case in which the non-existence of theequivalent key is proved other than the two-round non-lineartransformation according to the present embodiment, however, it ispreferable to use the two-round non-linear transformation because of asimple configuration in addition to the proved non-existence of theequivalent key.

FIG. 24 shows a computer for installing the data transformation unit forencryption 100 or the data transformation unit for decryption 400.

The data transformation unit for encryption 100 and/or the datatransformation unit for decryption 400 is connected to the bus as aprinted circuit board. This printed circuit board is provided with aCPU, a memory, and a logical circuit element, and encrypts plaintextssupplied from the CPU into ciphertexts using the above-mentionedoperation and returns the data to the CPU. Or it decrypts ciphertextssupplied from the CPU and returns the plaintexts to the CPU.

In this way, the data transformation unit for encryption 100 or the datatransformation unit for decryption 400 can be implemented by thehardware. Further, the data transformation unit for encryption 100 orthe data transformation unit for decryption 400 can be also implementedby the software as the data transformation method. Namely, the aboveoperation can be performed using the program stored in a magnetic diskdrive or a flexible disk drive. In another way, the above operation canbe implemented by combining the hardware and the software, though thisis not shown in the figure. Further, it is not required to implement allthe above operation using one computer, but it is possible to implementthe above operation by a distributed system such as a server and aclient, or a host computer and a terminal computer, though this is notshown in the figure.

In the foregoing FIGS. 1 through 47, an arrow shows a direction of theoperation flow, and the figures having the arrow are block diagrams ofthe data transformation unit and also flowcharts. “ . . . unit” shown inthe above block diagrams can be replaced with “ . . . step” or “ . . .process”, so that the diagrams can be considered as operation flowchartsor program flowcharts showing the data transformation method.

In the foregoing embodiments, a case in which 128-bit plaintexts andciphertexts are used has been explained, but the data can be 256-bitplaintexts and ciphertexts, or plaintexts and ciphertexts having anothernumber of bits.

Further, in the foregoing embodiments, a case in which 128-bit, 192-bit,256-bit key data and 64-bit extension keys are used, but the key datacan have another number of bits.

If the bit length of the plaintexts and the ciphertexts, the key dataand the extension key are changed, of course, the bit length to beprocessed by each unit, each step, or each process is changed accordingto the bit length.

INDUSTRIAL AVAILABILITY

According to the embodiment of the present invention, the normal datatransformation unit (FL) 251 and the inverse data transformation unit(FL⁻¹) are provided for implementing the encryption and the decryptionusing the same algorithm, so that the encryption unit 200 and thedecryption unit 500 can share the circuit.

Further, according to the embodiment of the present invention, thetransformation table T is shared by the S-box first transformation unit13 and the S-box second transformation unit 14, so that theconfiguration is simplified.

Further, according to the embodiment of the present invention, thesubfield transformation unit 18 is used, which makes the configurationsimpler, and the linear transformation unit 85 and the lineartransformation unit 87 are provided, so that the security is improvedeven if the subfield transformation unit 18 is used.

Further, according to the embodiment of the present invention, the shiftcontrol unit 345 can make the shift register operate integer number oftimes to perform the shifting of the key data with the number ofshifting bits (for example, 30 bits or 34 bits) which is not a fixednumber of bits such as only 15 bits or 17 bits, and improves thesecurity.

Further, according to the embodiment of the present invention, a case isprovided in which the shifted data in the shift register is not used forthe extension key, which further improves the security.

Further, according to the embodiment of the present invention, even ifthe key data having different number of bits is input, the bit lengthtransformation unit 310 changes to the key data with a fixed length,which enables to operate a flexible key generation.

Further, according to the embodiment of the present invention, thetwo-round non-linear transformation is used in the first G-bit keytransformation unit 320, so that non-existence of the key beingequivalent to K₁ can be proved, which improves the security.

Further, according to the embodiment of the present invention, thelocation of the key function 25 is altered, which enables a high-speedprocessing.

The invention claimed is:
 1. A data transformation apparatus having adata processing unit for inputting data to be transformed and a key, andperforming encryption or decryption of the data to be transformed, thedata processing unit comprising: a divider for dividing the data to betransformed into first data and second data and forwarding the first andsecond data along first and second data pathways, respectively; a normaldata transformation unit connected to the first pathway for receivingand transforming the first data; an inverse data transformation unitconnected to the second pathway for receiving and transforming thesecond data by performing an inverse transformation of a transformationby the normal data transformation unit; a non-linear data transformationunit connected to the first and second pathways for receiving andprocessing the first and second data, wherein the non-linear datatransformation unit is configured to process the first data before orafter the first data is transformed by the normal data transformationunit, and wherein the non-linear data transformation unit is configuredto process the second data before or after the second data istransformed by the inverse data transformation unit; and a combiningunit for combining the processed and transformed first data from thefirst pathway with the processed and transformed second data from thesecond pathway, thereby producing ciphertext or plaintext depending onwhether encryption or decryption, respectively, is being performed,wherein the combination of non-linear transformation unit, normal datatransformation unit, and inverse data transformation unit is configuredin such a manner that the data processing unit is capable of: receivingand encrypting particular plaintext data to produce particularciphertext data, and receiving and decrypting the particular ciphertextdata to produce the particular plaintext data, and wherein each of thenormal data transformation unit, inverse data transformation unit, andnon-linear transformation unit is implemented using at least one of acomputer processor and a logical operation circuit.
 2. The datatransformation apparatus of claim 1, wherein the non-lineartransformation unit includes a first input port, a second input port, afirst output port, and a second output port, wherein the normal datatransformation unit outputs the transformed first data to the firstinput port of the non-linear transformation unit, wherein the non-lineartransformation unit processes the transformed first data received at thefirst input port, and outputs the processed transformed first data fromthe first output port, wherein the non-linear transformation unitreceives and processes the second data at the second input port, andoutputs the processed second data from the second output port, andwherein the inverse data transformation unit transforms the processedsecond data output from the second output port of the data processingunit.
 3. The data transformation apparatus of claim 1, wherein thenon-linear transformation unit includes a first input port, a secondinput port, a first output port, and a second output port, wherein theinverse data transformation unit outputs the transformed first data tothe first input port of the non-linear transformation unit, wherein thenon-linear transformation unit processes the transformed first datareceived at the first input port, and outputs the processed transformedfirst data from the first output port, wherein the non-lineartransformation unit receives and processes the second data at the secondinput port, and outputs the processed second data from the second outputport, and wherein the normal data transformation unit transforms theprocessed second data output from the second output port of the dataprocessing unit.
 4. The data transformation apparatus of claim 1,wherein the non-linear transformation unit performs a non-lineartransformation of the received data, wherein the non-lineartransformation unit includes: a first transformation unit (s₁) forinputting a part of the received data as first partial data,transforming the first partial data using a transformation table, whichtransforms a value of the data into another value; and a secondtransformation unit (s₂) for inputting at least another part of thereceived data as second partial data, transforming the second partialdata by a transformation using the transformation table and an operationfor the second partial data.
 5. The data transformation apparatus ofclaim 4, wherein the first transformation unit (s₁) inputs data y₁ tothe transformation table to output data s₁(y₁) and outputs the datas₁(y₁) as data z₁=s₁(y₁), and the second transformation unit (s₂) inputsdata y₂ to the transformation table to output data s₁(y₂), performsrotational shift on s₁(y₂) to output (rot (s₁(y₂))), and outputs thedata (rot (s₁(y₂))) as data z₂=rot (s₁(y₂)).
 6. The data transformationapparatus of claim 4, wherein the data processing unit further includesa third transformation unit (s₃) and a fourth transformation unit (s₄)for respectively inputting parts of the received data, which aredifferent from the first partial data and the second partial data, asthird partial data and fourth partial data, transforming the thirdpartial data and the fourth partial data using the transformation tableand operations for the third partial data and fourth partial data,respectively, which are different from the operation for the secondpartial data.
 7. The data transformation apparatus of claim 1, whereinthe data processing unit further comprises: a subfield transformationunit for receiving at least one of the first data transformed by thenormal data transformation unit and the second data, processing thereceived data as an element of a field, transforming the data by aninverse element circuit using a subfield of the field, and outputtingtransformed data; and an affine transformation unit for vector spaceGF(2)^(n) on GF(2), configured as at least one of a former round and alatter round of the subfield transformation unit, for extracting data onGF (2^(n)) to be transformed as an element of GF(2^(m)) whichcorresponds naturally, where n≠m.
 8. The data transformation apparatusof claim 7, wherein the subfield transformation unit includes onlyplural N/2-bit operation units for equally dividing data X having N (N:even number) bits into upper 2/N-bit data X₁ and lower N/2 bit data X₀so as to be X=X₀+βX₁(X₀, X₁: elements of the subfield, β: an element ofthe field), and obtaining data Y by respectively operating upper N/2-bitdata Y₁ and lower N/2-bit data Y₀ so as to be Y=Y₀+βY₁=1/(X₀+βX₁)(whereY=0, when X=0).
 9. The data transformation apparatus of claim 1, furthercomprising a key generating unit for generating key data to be used bythe data processing unit and supplying the key data to the dataprocessing unit, wherein the non-linear transformation unit includescascaded plural rounds, each of the plural rounds receiving an extensionkey and performing a non-linear transformation of data, wherein the keygenerating unit includes a key shifting unit for inputting at least oneof the key data and data generated from the key data and, depending onthe key data, performing a rotational shift by a predetermined number ofbits Z₁, Z₂, . . . , Z_(m), and generating an extension key for the eachof the plural rounds of the non-linear transformation unit from the keydata on which the rotational shift is performed, and wherein the keyshifting unit includes: a rotational shift register for performing arotational shift by B bits (where B=Z_(i+1)−Z_(i)) at one operation; anda controller for: operating the rotational shift register once on thekey data, on which the rotational shift has already been performed byZ_(i) bits, to perform the rotational shift by B bits, thereby causingthe rotational shift register to generate the key data on which therotational shift has been performed by a total of Z_(i+1) bits, andoperating the rotational shift register I time(s) (where I is aninteger) on the key data, on which the rotational shift has beenperformed by Z_(i+1) bits, to perform the rotational shift by I×B bits,thereby causing the rotational shift register to generate the key dataon which the rotational shift by a total of Z_(i+2) bits.
 10. The datatransformation apparatus of claim 9, wherein the rotational shiftregister is a circuit which performs a rotational shift of B bits(B=Z_(i+1)−Z_(i)) during each clock cycle of an operation clock suppliedfor operating the rotational shift register.
 11. The data transformationapparatus of claim 9, wherein the rotational shift circuit includes aselector for selecting one of B₁=8×J₁+1 (J₁=an integer greater than 0)bits and B₂=8×J₂−1 (J₂=an integer greater than 1) as the number of bitsB corresponding to each rotational shift.
 12. The data transformationapparatus of claim 1, further comprising a key generating unit forgenerating key data to be used by the data processing unit and supplyingthe key data to the data processing unit, wherein the non-lineartransformation unit includes cascaded plural rounds, each of the pluralrounds receiving an extension key and performing a non-lineartransformation of data, wherein the key generating unit comprises a keyshifting unit for rotationally shifting key data by a predeterminednumber of bits (B bits) successively on generating the extension key tobe supplied to each round of the non-linear transformation unit, andgenerating an extension key used for the each of the plural rounds ofthe non-linear transformation unit from key data, wherein the keyshifting unit ignores certain data among the key data being rotationallyshifted by B bits successively, and generates the extension key from theremaining data among the key data being rotationally shifted by B bitssuccessively.
 13. The data transformation apparatus of claim 1, furthercomprising a key generating unit for generating key data to be used bythe data processing unit and supplying the key data to the dataprocessing unit, wherein the key generating unit comprises: a firstG-bit key transformation unit for receiving and transforming key datahaving G bits, in order to output first transformed key data having Gbits; and a second G-bit transformation unit for receiving andtransforming the first transformed key data output from the first G-bitkey transformation unit, in order to output second transformed key data,and wherein, in case that the extension key is to be generated from keydata K having G bits, the key generating unit inputs the G-bit key dataK to the first G-bit key transformation unit in order to output G-bittransformed key data K₁ from the first G-bit key transformation unit,and wherein, in case that the extension key is to be generated from keydata K having 2G bits, the key generating unit generates G-bit key datafrom the 2G-bit key data K, inputs the generated G-bit key data to thefirst G-bit key transformation unit in order to output a first G-bittransformed key data K₁, inputs the first G-bit transformed key data K₁to the second G-bit transformation unit in order to output a secondG-bit transformed key data K₂, concatenates the first G-bit transformedkey data K₁ output from the first G-bit key transformation unit and thesecond G-bit transformed key data K₂ output from the second G-bittransformation unit, and outputs 2G-bit transformed key data resultingfrom the concatenation of the first and second G-bit transformed keydata K₁ and K₂.
 14. The data transformation apparatus of claim 13,wherein the first G-bit key transformation unit includes: a non-lineartransformation unit having two rounds for performing non-lineartransformation on the received key data having G bits; and a logicaloperation unit for performing a logical operation of a halfwaytransformed G-bit key data output from a second round of the non-lineartransformation unit and the key data received by the first G-bit keytransformation unit.
 15. The data transformation apparatus of claim 13,wherein the key generating unit further includes a bit lengthtransformation unit for converting Q-bit key data into the 2G-bit keydata in case that the Q-bit (G<Q<2G) key data is input.
 16. The datatransformation apparatus of claim 1, wherein the non-linear functionunit includes: an S function unit for converting at least one of thefirst data transformed by the normal data transformation unit and thesecond data; a key function unit for performing a logical operation onthe key and the data converted by the S function unit; and a P functionunit for performing a logical operation among pieces of data operated onby the key function unit.
 17. The data transformation apparatus of claim1, wherein the non-linear function unit includes: a key function unitfor performing a logical operation on data and the key; an S functionunit for converting data; and a P function unit for performing a logicaloperation among pieces of data, and wherein the key function unit isconfigured to perform one of the following: process the received data byperforming the logical operation on the received data and the key, theprocessed data being output from the key function unit to the S functionunit, and process data that has been converted by the S function unitand subsequently processed by the P function unit.
 18. The datatransformation apparatus of claim 17, wherein the S function unitincludes: a first transformation unit (s₁) for inputting a part of dataas first partial data, transforming the first partial data using atransformation table, which transforms a value of the data into anothervalue; and a second transformation unit (s₂) for inputting at leastanother part of data as second partial data, transforming the secondpartial data by a transformation using the transformation table and anoperation for the second partial data.
 19. The data transformationapparatus of claim 16, wherein the P function unit inputs eight piecesof 4n-bit data (n is an integer greater than 1) z₁, z₂, . . . , z₈, andincludes: a circuit for performing an XOR operation of at least two ofthe four pieces of data z₁, z₂, z₃, z₄ to obtain 4n-bit operation resultU₁; a circuit for performing an XOR operation of at least two of thefour pieces of data z₅, z₆, z₇, z₈ to obtain 4n-bit operation result U₂;a circuit for performing an XOR operation of U₁ and U₂ to obtain 4n-bitoperation result U₃; a rotational circuit for performing a rotationalshift on U₁; and a circuit for performing an XOR operation of outputfrom the rotational circuit and U₃ to obtain 4n-bit operation result U₄,and wherein the data transformation apparatus divides U₃ and U₄ intofour pieces of data, respectively, and outputs eight pieces of n-bitdata z′₁, z′₂, . . . , z′₈.
 20. A data transformation method forexecuting a data processing process for inputting data to be transformedand a key, and performing encryption or decryption of the data to betransformed, the data processing process comprising: dividing the datato be transformed into first data and second data applying a normal datatransformation process in order to transform the first data; applying aninverse data transformation process in order to transform the seconddata, wherein the inverse data transformation process performs aninverse transformation of a transformation performed by the normal datatransformation process; applying a non-linear transformation process forreceiving and processing the first and second data, wherein thenon-linear data transformation process processes the first data beforeor after the first data is transformed by the normal data transformationprocess, and wherein the non-linear data transformation processprocesses the second data before or after the second data is transformedby the inverse data transformation process, and combining thetransformed first and second data, thereby producing ciphertext orplaintext depending on whether encryption or decryption, respectively,is being performed, wherein the combination of normal datatransformation process, inverse data transformation process, andnon-linear transformation process is applied in such a manner that thedata processing process is capable of: receiving and decryptingparticular plaintext data to produce particular ciphertext data, andreceiving and decrypting the particular ciphertext data to produce theparticular plaintext data, and wherein each of the normal datatransformation process, inverse data transformation process, andnon-linear transformation process is executed using at least one of acomputer processor and a logical operation circuit.
 21. The datatransformation method of claim 20, wherein the non-linear transformationprocess performs a non-linear transformation of the received data,wherein the non-linear transformation process includes: a firsttransformation process (s₁) for inputting a part of the received data asfirst partial data, transforming the first partial data using atransformation table, which transforms a value of the data into anothervalue; and a second transformation process (s₂) for inputting at leastanother part of the received data as second partial data, transformingthe second partial data by transformation using the transformation tableand an operation for the second partial data.
 22. The datatransformation method of claim 20, wherein the data processing processfurther comprises: a subfield transformation process for receiving atleast one of the first data transformed by the normal datatransformation process and the second data, processing the received dataas an element of a field, transforming the data by an inverse elementcircuit using a subfield of the field, and outputting transformed data;and an affine transformation process for vector space GF(2)^(n) onGF(2), configured as at least one of a former round and a latter roundof the subfield transformation unit for extracting data on GF(2^(n)) tobe transformed as an element of GF(2^(m)) which corresponds naturally,where n≠m.
 23. The data transformation method of claim 20, furthercomprising a key generating process for generating key data to be usedby the data processing process and supplying the key data to the dataprocessing process, wherein the non-linear transformation processincludes cascaded plural rounds, each of the plural rounds receiving anextension key and performing a non-linear transformation of data,wherein the key generating process comprises a key shifting process forinputting at least one of the key data and data which is generated fromthe key data and depending on the key data, performing a rotationalshift by a predetermined number of bits Z₁, Z₂, . . . ,Z_(m), andgenerating an extension key for the each of the plural round of thenon-linear transformation process from the key data on which therotational shift is performed, and wherein the key shifting processincludes: a rotational shifting process; and a control process for:operating the rotational shifting process 1 time on the key data, onwhich the rotational shift is performed by Z_(i) bits, to perform therotational shift by B bits (where B=Z_(i+1)−Z_(i)), thereby causing therotational shifting process to generate the key data on which therotational shift has been performed by a total of Z_(i+1) bits, andoperating the rotational shifting process I time(s) (where I is aninteger) on the key data, on which the rotational shift has beenperformed by Z_(i+1) bits, to perform the rotational shift by I×B bits,thereby causing the rotational shifting process to generate the key dataon which the rotational shift has been performed by a total of Z_(i+2)bits.
 24. The data transformation method of claim 20, further comprisinga key generating process for generating key data to be used by the dataprocessing process and supplying the key data to the data processingprocess, wherein the non-linear transformation includes cascaded pluralrounds, each of the plural rounds receiving an extension key andperforming a non-linear transformation of data, wherein the keygenerating process comprises a key shifting process for rotationallyshifting key data by a predetermined number of bits (B bits)successively on generating the extension key to be supplied to eachround of the non-linear transformation process, and generating anextension key used for the each of the plural rounds of the non-lineartransformation process from key data being rotationally shifted, whereinthe key shifting process ignores certain data among the key data beingrotationally shifted by B bits successively, and generates the extensionkey from the remaining data among the key data being rotationallyshifted by B bits successively.
 25. The data transformation method ofclaim 20, further comprising a key generating process for generating keydata to be used by the data processing process and supplying the keydata to the data processing process, wherein the key generating processcomprises: a first G-bit key transformation process for receiving andtransforming key data having G bits, in order to output firsttransformed key data having G bits; and a second G-bit transformationprocess for receiving and transforming the first transformed key dataoutput from the first G-bit key transformation process, in order tooutput second transformed key data, and wherein, when the extension keyis to be generated from key data K having G bits, the key generatingprocess inputs the G-bit key data K to the first G-bit keytransformation process in order to output G-bit transformed key data K₁from the first G-bit key transformation process, and wherein, when theextension key is to be generated from key data K having 2G bits, the keygenerating process generates G-bit key data from the 2G-bit key data K,inputs the generated G-bit key data to the first G-bit keytransformation process in order to output a first G-bit transformed keydata K₁, inputs the first G-bit transformed key data K₁ to the secondG-bit transformation process in order to output a second G-bittransformed key data K₂, concatenates the first G-bit transformed keydata K₁ output from the first G-bit key transformation unit and thesecond G-bit transformed key data K₂ output from the second G-bittransformation unit, and outputs 2G-bit transformed key data resultingfrom the concatenation of the first and second G-bit transformed keydata K₁ and K₂.
 26. The data transformation method of claim 20, whereinthe non-linear function process includes: an S function process forconverting at least one of the first data transformed by the normal datatransformation process and the second data; a key function process forperforming a logical operation on the key and the data converted by theS function process; and a P function process for performing a logicaloperation among pieces of data operated on by the key function unit. 27.The data transformation method of claim 20, the data transformationmethod further comprising: a key function process for performing alogical operation of received data and the key; an S function processfor converting data; and a P function process for performing a logicaloperation among pieces of data, and wherein the key function process isconfigured to perform one of the following: process the received data byperforming the logical operation on the received data and the key, theprocessed data being output from the key function unit to the S functionunit, and process data that has been converted by the S function unitand subsequently processed by the P function unit.
 28. A datatransformation apparatus having a data processing unit for performingkey-based encryption and decryption of data, the data processing unitcomprising: a non-linear transformation unit including: a first inputport, a second input port, a first output port, and a second outputport; a first input normal data transformation unit for transformingdata to be provided to the first input port of the non-lineartransformation unit; a second output inverse data transformation unitfor receiving data from the second output port of the non-linear datatransformation unit, and performing an inverse transformation of atransformation by the first input normal data transformation unit; and acombining unit for combining data outputted via the first output portwith data transformed by the second output inverse data transformationunit, thereby producing ciphertext when key-based encryption is beingperformed and producing plaintext when key-based decryption isperformed, wherein the non-linear transformation unit receives data viathe first and second input ports, performs a common algorithm forprocessing the received data regardless of whether the received data isto be encrypted or decrypted, and outputs the processed data via thefirst and second output ports, wherein the combination of non-lineartransformation unit, normal data transformation unit, and inverse datatransformation unit is configured in such a manner that the dataprocessing unit is capable of: receiving and encrypting particularplaintext data to produce particular ciphertext data, and receiving anddecrypting the particular ciphertext data to produce the particularplaintext data, and wherein each of the normal data transformation unit,inverse data transformation unit, and non-linear transformation unit isimplemented using at least one of a computer processor and a logicaloperation circuit.
 29. The data transformation apparatus of claim 28,wherein the common algorithm of the non-linear transformation unit isdesigned to cause first and second input data to be identical withsecond and first output data, respectively, when the non-lineartransformation unit performs the following: receives the first inputdata via the first input port, receives the second input data via thesecond input port, performs the common algorithm on the first input dataand the second input data using an encryption key, thereby generatingfirst transformed data and second transformed data, outputs the firsttransformed data from the first output port, outputs the secondtransformed data from the second output port, receives the firsttransformed data via the second input port, receives the secondtransformed data via the first input port, performs the common algorithmon the first transformed data and the second transformed data using adecryption key, thereby generating the first output data and secondoutput data, outputs the first output data from the second output port,and outputs the second output data from the first output port.
 30. Thedata transformation apparatus of claim 29, wherein the data processingunit further comprises: a second input normal data transformation unitfor transforming data to be provided to the second input port of thenon-linear transformation unit; a first output inverse datatransformation unit for receiving data from the first output port andperforming an inverse transformation of a transformation by the secondinput normal data transformation unit.
 31. The data transformationapparatus of claim 28, further comprising a key generating unit forgenerating key data to be used by the non-linear transformation unit andsupplying the key data to the non-linear transformation unit, whereinthe key generating unit processes the key data to be supplied to thenon-linear transformation unit and supplies the processed key data to adifferent part of the data processing unit than the non-lineartransformation unit.
 32. The data transformation method of claim 20,further comprising a key generating process of generating key data whichis used by the data processing process and supplying the generated keydata to the data processing process, wherein the data processing processfurther comprises a non-linear function process for performing anon-linear transformation of at least one of the data transformed by thenormal data transformation process and the second data, the generatedkey data being supplied to the non-linear function process, and whereinthe key generating process processes the key data to be supplied to thenon-linear function process and supplies the processed key data to adifferent part of the data processing process than the non-linearfunction process.
 33. A program embodied on a computer-readable storagemedium, said program being executable on a computer to perform the datatransformation method of claim
 20. 34. A data transformation apparatushaving a data processing unit for inputting key data, generating atleast first key data and second key data, and performing datatransformation of at least one of encryption of data and decryption ofdata, the data processing unit comprising: a divider for dividing datato be transformed into first data and second data and forwarding thefirst and second data along first and second pathways respectively; anormal data transformation unit connected to the first pathway forinputting the first data and the first key data, and performingtransformation of the inputted data using an XOR circuit and a circuithaving a logical operation circuit for inputting the first key data andcarrying out a logical operation; and an inverse data transformationunit connected to the second pathway for inputting the second data andthe second key data, and performing transformation of the inputted datausing an XOR circuit and a circuit having a logical operation circuitfor inputting the second key data and carrying out a logical operation,wherein the transformation performed by the inverse data transformationunit is inverse to the transformation performed by the normal datatransformation unit if the second key data is an identical key to thefirst key data, wherein the normal data transformation unit and inversedata transformation unit are connected to the first and second pathways,respectively, in such a manner that the data processing unit is capableof: receiving and encrypting particular plaintext data to produceparticular ciphertext data, and receiving and decrypting the particularciphertext data to produce the particular plaintext data.
 35. The datatransformation unit of claim 34, wherein the normal data transformationunit comprises a circuit for dividing the inputted first data into firstleft input data and first right input data, transforming the first leftinput data by a logical operation with the first key data, XORing thetransformed first left input data and the first right input data, andoutputting the XORed result; and wherein the inverse data transformationunit comprises a circuit for dividing the inputted second data intosecond left input data and second right input data, transforming thesecond left input data by a logical operation with the second key data,XORing the transformed second left input data and the second right inputdata, and outputting the XORed result.
 36. The data transformationapparatus of claim 34, wherein the data transformation apparatus inputsthe key data and generates at least first key data, second key data,third key data, and fourth key data, wherein the normal datatransformation unit comprises a circuit for dividing the inputted firstdata into first left input data and first right input data, transformingthe first left input data by a logical operation with the first keydata, XORing the transformed first left input data and the first rightinput data, and outputting the XORed result as first right output data,transforming the first right output data by a logical operation with thethird key data, XORing the transformed first right output data and thefirst left input data, and outputting the XORed result as first leftoutput data, creating data from the first left output data and the firstright output data, and outputting the data created; and wherein theinverse data transformation unit comprises a circuit for dividing thesecond data inputted into second left input data and second right inputdata, transforming the second right input data by a logical operationwith the second key data, XORing the transformed second right input dataand the second left input data, and outputting the XORed result assecond left output data, transforming the second left output data by alogical operation with the fourth key data, XORing the transformedsecond left output data and the second right input data, and outputtingthe XORed result as second right output data, creating second outputdata from the second left output data and the second right output data,and outputting the data created.
 37. The data transformation apparatusof claim 34, wherein the logical operation circuit of the normal datatransformation unit is a logical operation circuit for inputting thefirst key data and performing at least a logical operation other than anXOR, and wherein the logical operation circuit of the inverse datatransformation unit is a logical operation circuit for inputting thesecond key data and performing at least a logical operation other thanan XOR.
 38. The data transformation apparatus of claim 34, wherein thenormal data transformation unit comprises a plurality of logicaloperation elements, wherein the inverse data transformation unitcomprises a plurality of logical operation elements a number of which isthe same as the plurality of logical operation elements of the normaldata transformation unit, and wherein the normal data transformationunit has a connection arrangement of the plurality of logical operationelements different from the inverse data transformation unit.
 39. Thedata transformation apparatus of claim 34, wherein the data processingunit comprises a non-linear data transformation unit having a firstinputting unit, a second inputting unit, a first outputting unit, and asecond outputting unit, wherein the normal data transformation unitoutputs the transformed data to the first inputting unit of thenon-linear data transformation unit, and wherein the inverse datatransformation unit transforms and outputs data outputted from thesecond outputting unit of the non-linear data transformation unit. 40.The data transformation apparatus of claim 34, wherein the dataprocessing unit comprises a non-linear data transformation unit having afirst inputting unit, a second inputting unit, a first outputting unit,and a second outputting unit, wherein the normal data transformationunit outputs the transformed data to the second inputting unit of thenon-linear data transformation unit, and wherein the inverse datatransformation unit transforms and outputs data outputted from the firstoutputting unit of the non-linear data transformation unit.
 41. A datatransformation method for a data transformation apparatus for inputtingkey data, generating at least first key data and second key data, andcarrying out data processing by performing data transformation of atleast one of encryption of data and decryption of data by a dataprocessing unit, a normal data transformation unit, and an inverse datatransformation unit, the data processing comprising: dividing data to betransformed into first data and second data by the data processing unit;applying normal data transformation process, by the normal datatransformation unit, for inputting the first data and the first keydata, and performing transformation of the inputted data using an XORcircuit and a circuit having a logical operation circuit for inputtingthe first key data and carrying out a logical operation; and applying aninverse data transformation process, by the inverse data transformationunit, for inputting second data and the second key data, and performingtransformation of the inputted data using an XOR circuit and a circuithaving a logical operation circuit for inputting the second key data andcarrying out a logical operation, wherein the transformation performedby the inverse data transformation unit is inverse to the transformationperformed by the normal data transformation process if the second keydata is an identical key to the first key data, wherein the normal datatransformation process and inverse data transformation process areapplied in such a manner that the data processing is capable of:receiving and encrypting particular plaintext data to produce particularciphertext data, and receiving and decrypting the particular ciphertextdata to produce the particular plaintext data.
 42. A data transformationapparatus having a data processing unit for inputting key data,generating at least first key data and second key data, and performingdata transformation of at least one of encryption of data and decryptionof data, the data processing unit comprising: a non-linear datatransformation unit having a first inputting unit, a second inputtingunit, a first outputting unit and a second outputting unit, andperforming the encryption of data and decryption of data with the samealgorithm; a first input normal data transformation unit for inputtingdata to be inputted to the first inputting unit and the first key data,and performing transformation of the data to be input to the firstinputting unit using an XOR circuit and a circuit having a logicaloperation circuit for inputting the first key data and carrying out alogical operation; and a second output inverse data transformation unitfor inputting data outputted from the second outputting unit and thesecond key data, and performing transformation of the data outputtedfrom the second outputting unit using an XOR circuit and a circuithaving a logical operation circuit for inputting the second key data andcarrying out a logical operation, wherein the transformation performedby the second output data inverse transformation unit is inverse to thetransformation performed by the first input data normal datatransformation unit if the second key data is an identical key to thefirst key data, wherein the combination of non-linear transformationunit, normal data transformation unit, and inverse data transformationunit is configured in such a manner that the data processing unit iscapable of: receiving and encrypting particular plaintext data toproduce particular ciphertext data, and receiving and decrypting theparticular ciphertext data to produce the particular plaintext data. 43.The data transformation apparatus of claim 42, wherein the non-lineardata transformation unit has an algorithm that the first input databecomes identical to the second output data, and the second input databecomes identical to the first output data when the first input data isinputted from the first inputting unit, the second input data isinputted from the second inputting unit, a non-linear transformation ofthe first input data and the second input data is performed using keydata for encryption to generate first transformed data and secondtransformed data, the first transformed data is outputted from the firstoutputting unit, the second transformed data is outputted from thesecond outputting unit, the first transformed data is inputted from thesecond inputting unit, the second transformed data is inputted from thefirst inputting unit, a non-linear transformation of the firsttransformed data and the second transformed data is performed using keydata for decryption to generate first output data and second outputdata, the first output data is outputted from the second outputtingunit, and the second output data is outputted from the first outputtingunit.
 44. The data transformation apparatus of claim 42 wherein the datatransformation apparatus further generates at least third key data andfourth key data, wherein the data processing unit further comprises: asecond input normal data transformation unit for inputting data to beinputted to the second inputting unit and the third key data, andperforming transformation of the data to be inputted to the secondinputting unit using an XOR circuit and a circuit having a logicaloperation circuit for inputting third key data and carrying out alogical operation; and a first output inverse data transformation unitfor inputting data outputted from the first outputting unit and thefourth key data, and performing transformation of the data outputtedfrom the first outputting unit using an XOR circuit and a circuit havinga logical operation circuit for inputting the fourth key data andcarrying out a logical operation, which performs a transformationinverse to the transformation performed by the second input data normaltransformation unit if the fourth key data is an identical key to thethird key data.
 45. A data transformation apparatus having a dataprocessing unit for inputting key data, generating at least first keydata and second key data, and performing data transformation of at leastone of encryption of data and decryption of data, the data processingunit comprising: a non-linear data transformation unit having a firstinputting unit, a second inputting unit, a first outputting unit and asecond outputting unit, and performing the encryption of data and thedecryption of data with the same algorithm; a second input normal datatransformation unit for inputting data to be inputted to the secondinputting unit and the first key data, and performing transformation ofthe data to be inputted to the second inputting unit using an XORcircuit and a circuit having a logical operation circuit for inputtingthe first key data and carrying out a logical operation; and a firstoutput data inverse transformation unit for inputting data outputtedfrom the first outputting unit and the second key data, and performingtransformation of the data to be outputted from the first outputtingunit using an XOR circuit and a circuit having a logical operationcircuit for inputting the second key data and carrying out a logicaloperation, wherein the transformation performed by the first output datainverse transformation unit is inverse to the transformation performedby the second input data normal transformation unit if the second keydata is an identical key to the first key data, wherein the combinationof non-linear transformation unit, normal data transformation unit, andinverse data transformation unit is configured in such a manner that thedata processing unit is capable of: receiving and encrypting particularplaintext data to produce particular ciphertext data, and receiving anddecrypting the particular ciphertext data to produce the particularplaintext data.
 46. A computer-readable storage medium storing a programfor having a computer perform the data transformation method for thedata transformation apparatus claimed in claim
 41. 47. A datatransformation apparatus having a data processing unit implemented usingat least one of a computer processor and a logical operation circuit forperforming at least one of encryption of data and decryption of databased on input key data, wherein the data processing unit divides datato be transformed into first data and second data, and performs a datatransformation, the data processing unit comprising: a normal datatransformation unit implemented using at least one of a computerprocessor and a logical operation circuit for transforming the firstdata based on the input key data; and an inverse data transformationunit implemented using at least one of a computer processor and alogical operation circuit for transforming the second data by performingan inverse transformation of a transformation by the normal datatransformation unit based on the input key data, wherein the dataprocessing unit performs the data transformation by the normal datatransformation unit and the data transformation by the inverse datatransformation unit in parallel.
 48. A data transformation methodexecuted using at least one of a computer processor and a logicaloperation circuit for executing a data processing process for performingat least one of encryption of data and decryption of data based on inputkey data, wherein the data processing process divides data to betransformed into first data and second data, and performs a datatransformation, the data processing process comprising: a normal datatransformation process executed using at least one of a computerprocessor and a logical operation circuit for transforming the firstdata based on the input key data; and an inverse data transformationprocess executed using at least one of a computer processor and alogical operation circuit for transforming the second data by performingan inverse transformation of a transformation by the normal datatransformation process based on the input key data, wherein the dataprocessing process performs the data transformation by the normal datatransformation process and the data transformation by the inverse datatransformation process in parallel.